When you call ‘security’, the echo sounds like ‘cybercrime’. Cybercriminals are getting better and better and are often a step ahead of the measures that organisations take to fight them off. The problem is that there is a focus on IT in the battle against cybercrime, when the people are just as important. Security in the workplace is often underestimated.
Not just he IT department is responsible for security, but every employee has to do his part to be able to guarantee security in the workplace. But how do you enforce a policy that ensures workable security?
When it comes to using the internet, the Dutch people often ignore their common sense and blindly rely on technology. For example, a recent study found that the Dutch employee puts a lot of trust in antivirus software, passwords and the IT department. Because of this trust, a lot of bad decisions are still being made.
Despite that, many employees also report that there are little employers out there who have taken measures to create awareness around online dangers. This has far-reaching consequences, since one in every three employees shares their corporate passwords with a third party. Nobody likes that of course, especially with the AVG getting closer. Below, I will give some advice on the measures that should be taken to optimise the security in the workplace.
Set up workable password policies. Dutch people are still using weak passwords. This makes it easier for criminals to crack several of their accounts. The second your email or the email of a colleague is hacked, it is not a big step to get access to other online accounts and maybe even corporate systems. The cybercriminal already has the email address and now the access to it as well. The only thing that has to be done now, is clicking on ‘forgot password’ for almost any other online account and they will have access to that one as well. Before you know it, a cybercriminal as access to important corporate data.
Then how do you deal with this? In general, we experience passwords as annoying and inconvenient, but fact is that they are essential and we will have learn to deal with them. A weak password policy, or no password policy at all, is a risk that organisations expose themselves and their employees to. The second employees are free to do whatever, things go wrong.
On the other hand, we should not go overboard either and enforce unique passwords with a minimum of 25 characters that need to be changed every month. There has to be a balance, but it needs to be enforceable and it needs to be controlled. Password policies have to be strict, but workable, so people will not work around it. If the measures remain workable, the chances of people mixing private and corporate passwords are smaller.
Provide guest accounts on laptop. It is very common for corporate laptops to be taken home to be used by family and friends as well. The risks that accompany this are huge. Corporate information can accidentally end up anywhere. Yes, most work computers and laptops are secured with passwords, but the question remains whether this security measure is effective enough in practice. Almost one in three employees says that the password for their corporate computer is known by at least one other person in their private environment. With these login data, these third parties can access corporate systems and data in 40 percent of the cases.
That is why it is essential that measures are taken to limit that risk. Discuss the use of the corporate laptop with your employees or install guest accounts to facilitate the third party use. This might lead to resistance from some of the employees, but it is not just about the huge, possible disastrous, fine that you are risking, but about the safety and privacy of your employees, clients and other relations.
To be able to go online in a responsible manner, it is important that risks are explained and recognised. The Dutch employee indicates that they are still lacking the necessary knowledge in that field. 63 percent says they are convinced they can recognise malicious emails. But when tested, this turns out to be false. Many security issues arise because people click on harmful links or open harmful files. And this is happening way too often, causing the work computer or laptop to get infected with a virus. More awareness on the dangers of phishing would definitely not hurt.
IT departments are naturally inclined to solve issues with technical measures. More monitoring, more virus scanners, more firewalls. However, this is not the right solution that will involve employees and make them more aware about their online behaviour. Awareness among employees can increase security with at least 25 percent. A vulnerable setup of the IT department is crucial here. Technical measures are a necessity, but the help of the employees themselves might be even more important. Educate them regularly about the developments in the field of security and provide them with a clear insight into the risks of their current internet behaviour. It is also of the utmost important to draw attention to the measures that have already been taken. Because if the employee does not know about these measures, they cannot act on them either.
Give employees co-responsibility. As already shown in the previous points, employees fully trust on the measures that the IT department has taken and the different security technologies. It sounds a lot like middle school, but give employees co-responsibility for security by rewarding their good behaviour. Found a USB stick in the parking lot, got a strange email or weird phone call? Report this to your manager or the IT department and get surprised with cake for the entire department. This will take away any reservations that they might have and increase awareness.
In short, employers, IT managers and the employees all play an important part in the digital security of the workplace. So set up security policies, train employees and make sure employees understand why the measures need to be taken. In practice, there are too many assumptions about the knowledge of the employee, but this is often very wrong. Enforcing certain security policies may initially generate some resistance, but accept this and get the discussion going. Ultimately, it is about guaranteeing a safe, free and open internet.
By: Wido Potters