The specter of insider threats hangs over every employee in an organization. An employee can inadvertently be a threat after opening a suspicious email, may intentionally cause a breach for profit, or may be impacted after a breach occurs. Enlisting all employees in your insider threat mission is a critical need.
Communication and education are key to ensuring everyone in your organization is focused on security. The proper introduction of monitoring software is another key piece to consider. Here are three ways to enlist your employees in your battle against insider threats.
Ensure everyone is all-in on security. Every employee is responsible for ensuring the security of your infrastructure. Ensure you communicate security policies at onboarding, and keep these policies up-to-date. Consider requiring a yearly read and sign-off acknowledgment of the policy by all employees. Discuss the very real consequences of a breach and how it impacts employees. On a micro-level, breaches result in lost work and cause rework for the employee. At a macro-level, breaches impact corporate reputation and profitability.
Offer initial and ongoing security education. Beginning with your new-hire onboarding, offer security education and share helpful tips and resources. Provide examples of what a phishing scam looks like. Ensure employees know how to back up their work. Educate remote and traveling employees about ways to stay safe out of the office. As new risks emerge, update your employees with examples and information to stay on top of threats
Properly introduce threat monitoring software. Insider threat detection software is a powerful weapon in the battle against insider attacks. Ensure you properly introduce such software in your organization by following these recommendations:
- Be transparent about your decision to use employee monitoring software. Some industries and organizations believe that informing employees of monitoring will deter employees from committing malicious or possible criminal activity. Being transparent can also mitigate some concerns about monitoring individual employees. The Santa Clara Valley Water District educated its employee bargaining units on why monitoring was being put in place, how it would be done, and how it would affect employees. All of these issues were discussed at various meetings over six months before monitoring began.
- Develop and share clear policies about why and when monitoring is being used and how data is used. You may want to discuss how monitoring will be used to protect corporate assets and ensure use of corporate-approved software and avoid use of prohibited software and/or websites.
- Discuss the benefits for individual employees. Monitoring software can help identify bottlenecks in online processes and uncover suggested technique improvements to share with your team. Organizations can reap business intelligence from knowing what their employees do every day, says Kate Bischoff, SHRM-SCP, a Minneapolis attorney and former HR director. The benefits include improving organizational structure, identifying what tools employees need, and finding out employees’ most productive periods.
- Maintain a focus on accomplishments, not time spent at a desk. Avoid using the software as a timekeeping device.
Protecting corporate assets is truly one mission in which every employee should ‘think like an owner’. Ongoing education and proactive communication can help employees join your insider threat mission.
This article was originally published in IT Security Central and was reprinted with permission.