One overlooked aspect of cybersecurity is training for the employees at your company in proper data management practices. All of the technical measures that a company employs to guard against intrusions do not matter when an employee knowingly or unknowingly circumvents those measures. Proper training can help to reduce the number of incidents and lower your chances of suffering from a data breach.
Password Management - Proper password management is key to any cybersecurity program. The technical barriers to entry are only as good as the passwords that unlock them. Employees should be required to use passwords that are a certain length, contain upper and lowercase letters and special characters. Also, when possible more sensitive information should be protected by two-factor authentication. This type of login requires the user to not only know their password but also possess something such as a phone or key fob. This way even if the password were to be compromised access to the system would still be barred without the physical access tool.
1. Portable Devices - The use of portable devices such as mobile phones, tablets and laptops allows employees to easily work from anywhere outside the office. This can be a boon to productivity but also requires extra diligence on the part of the employee. The company or customer information that is contained on that portable device now must be protected outside the confines of the office. The employee must be careful with devices that wirelessly connect to the internet. Caution needs to be used when connecting to "Free Wi-Fi" spots that are not password protected. These can be wireless signals that are set-up to steal information from your devices. Also, the loss of a portable device that contains customer information needs to be reported immediately to IT or management in order to minimize any damages from losing that device.
2. Phishing Emails and Social Media - Phishing or spear-phishing emails are designed to manipulate the recipient into clicking a link that contains malware or requests the recipient do something they should not. A phishing email will be a broad email that is aimed at millions of people. A spear-phishing email will use specific information to craft the email to a particular recipient. One source of information that hackers may use to craft a spear-phishing email is an employee's social media accounts. These accounts can be massive resources of information for someone to craft an email that appears legitimate. Employees should be instructed on the benefits of managing the privacy settings on their accounts to limit access to friends, family or people they know.
They should also be taught patience when dealing with any request for transfers of electronic information. When someone is crafting a spear-phishing email they will try to get you to answer them quickly without thinking. They will make the need to reply an urgent one that is very time-sensitive and needs to be completed right that moment. Employees need to be trained to check with an actual person before transferring money or sending any other personal information electronically. This simple extra step could prevent a loss of money or information.
3. Impact on the Entire Company - The importance of data governance for every employee in the company is something that must be stressed. It is not simply the IT department's job to keep everything secure because there are always going to be ways for employees to circumvent technical measures and those employees have to understand the importance to the company as a whole that data be secure. Losing electronic information could trigger data breach notifications procedures and cause severe reputation and financial loss to a company. These are losses that would be felt by the entire company and is why data governance is something that every employee needs to regard as a priority.
4. Explain Importance of Specific Categories of Data - Most employees are going to understand that social security numbers and credit card information are sensitive pieces of information that must be protected. What could be less clear to them is the regulations that surround other pieces of information your company may collect and the importance of keeping those safe as well. Personally identifiable information when collected and stored by a company is information that if lost by the company could subject it to breach notification laws. There are forty-seven different state breach notification laws as well as federal ones and seemingly innocuous information may be covered by these laws. Therefore, employees need to be aware of the importance of the information they are dealing with.