No matter your industry or company size, each person in your organization plays an important role and needs to understand that from the moment they join your team. This is especially true when it comes to the security of your organization and the data you are trusted with.
With that in mind, let’s look at some of the ways you can help your team understand their contribution to company security and how you can incorporate this into your training program.
We’ve said this a million times and we’ll keep saying it. Phishing tests should be a part of your security training and should be conducted regularly.
In a phishing attack, recipients are first tricked into opening the email, and then into clicking a link within the email or opening an attachment that will cause any of a number of security holes by which the attacker can then obtain sensitive data.
To be truly effective, phishing tests should be conducted regularly. Rocket IT typically uses quarterly testing with our clients through which we will send an unannounced test email to a client’s users. We track the click-through rate and then offer recommendations on how to help users from falling prey to real phishing emails. These recommendations may include online training courses, live training, and other forms of education designed to help them better understand how they better work in a way that is both safe and productive for your organization.
Research suggests that after a year of training, the risk that a user will click a link or open a file from a phishing email drops from 27% to 2%.
Security Awareness Training
Much like other aspects of the training process, security awareness training is not a “once and done” deal, but rather an ongoing effort to educate your team on the best ways to protect themselves and the rest of the organization from a number of security breaches. This type of training should include thorough information on security best practices as well as general guidelines, policies, and procedures.
In addition to helping your team understand how to prevent gaps in security, security awareness training should also cover how employees should report any suspicious emails and anything else they feel could be a potential threat so the issue can be resolved according to the protocol and before significant damage is done.
Boundaries and Rules
Your team also needs to understand and agree to abide by the rules and boundaries you have in place. Remind your team as you are explaining the guidelines and expectations that your organization is not setting these boundaries as a limitation but rather as a precaution to help protect everyone on your team and the information your organization has been entrusted with. Ensure team members sign the necessary papers indicating that they have read and understood the rules in place.
If your organization gives access to certain files, client information, or even the server room based on job function, make sure employees know they are not to share passwords, badges, or any other information that would grant another team member clearance to access controlled files or rooms.
While it shouldn’t be the emphasis of the discussion, your team should also be made aware of the consequences of breaking any rules or boundaries you have in place. Remember to keep the focus of the conversation on why you have these in place – to protect your team and your data.
Security is not the responsibility of one person or team, but rather your entire organization.
Take the time to fully explain this when you onboard new employees and provide them with continued training to help maintain and strengthen the security of your organization. It’s worth the effort to ensure your team understands how each person plays a vital role in your organization’s security efforts.