Privacy is teamwork: how to raise the security and privacy awareness of your SMB staff?
The International Privacy Day 2018 is here to raise the privacy awareness of people and businesses. Getting a team security and privacy-conscious is similar to achieving herd immunity: in order to secure the whole group, there has to be a significant majority who are protected against the most common threats and risks.
But how to increase the privacy awareness of your entire team and business? Here are some tips how to engage your staff and make privacy and security teamwork.
Get a dedicated person whose task is information security.
If your company is still small, you might think that you don’t need a dedicated person for information security, your IT admin or someone from your technical teams will take this extra responsibility. This is not true. Especially at SMBs, people might be already overwhelmed with more areas, and this can result in neglecting some of the aspects of their tasks. A dedicated person can support everyone’s work and take on the larger projects that need to be done in order to raise the awareness of your whole company. Also, if you’d like to earn certifications such as ISO or comply with regulations such as the GDPR (which will be a must from May 2018), you will need a dedicated information security person on your team, so it’s good to think ahead early on.
It is important to start creating internal security and privacy policies and practices as soon as you can. Building a security-focused culture is easier, while your organization is young and the size of your team is small. When your team grows further, you can onboard people more conveniently and share cybersecurity and privacy knowledge with the new staff if you already have the foundations.
Pro tip: Separate security and IT in your organization as soon as possible, so when implementing standards, the roles and responsibility split will be easier.
Make sure security awareness is teamwork and it doesn’t belong to silos
In order to protect the whole company, everyone needs to play fair and adhere to some basic rules. Even if the majority of your team is attentive to risks if there are some who don’t pay attention they can put the security of your whole organization and the data you manage at risk.
Surprisingly, if you establish practices that are shared and applied by everyone and awareness of your team is high, the number of security-related incidents and issues reported will grow. There’s no way to be completely protected from security threats and privacy concerns, but if you have processes that detail how to manage them, it will make dealing with issues more transparent and effective.
Try to make people aware of the security risks even in their private life when they browse online at home or check-in to cafes and use public networks. Especially with BYOD and mobile work, the boundaries of private and professional have merged, so the awareness also has to extend beyond the traditional office environment.
Pro tip: Use tools such as posters, warning signs or cartoon snippets that raise awareness in an indirect way, in a context where people usually don’t meet security tips. E.g.: a poster in the staff kitchen that says “Did you lock your computer before leaving your desk?”.
Security training is a must – get creative in how you share knowledge.
Security and privacy awareness training is designed to control the human factor, which is often the weakest link. A general introductory training that covers the 101 of cybersecurity and privacy practices is crucial to get your team on the same page. It is also useful for you to gain feedback from your team about their current level of knowledge and weak spots that need more improvement. It is especially true for SMBs who usually don’t have established cybersecurity processes yet.
However, a general training is just a starting point of a longer process. Organize dedicated education for each team to share specialized, hands-on tips that connect to their day-to-day job. For example, share information about the privacy concerns of customer relationship management tools for marketing teams.
Add some fun to all this, otherwise, your efforts will fall flat. Get as practical as you can, organize quizzes, use tools. For example, check services that send your team mock phishing emails or use other channels to test how aware people are of the threats of social engineering. You can also start a monthly awareness newsletter where you discover a hot topic in detail, for example, ransomware when there’s a large attack going on.
Another thing, don’t overdo training and privacy awareness raising. Cybersecurity fatigue is a real thing: if you talk too much about cybersecurity and privacy issues, your team is going to get saturated and bored with all the information and they will not apply them in their day-to-day work.
Pro tip: Do both education and training. Education focuses on telling people why something makes sense and providing a general context in which they can exercise individual judgment. Training is a means by which people learn what to do and how to do it. You need both to ensure that your people are doing the correct things and exercising sound judgment.
Define your priorities based on your industry and the activities of your staff.
Cybersecurity and privacy are complex fields, with lots of aspects to be attentive to and threats to be aware of. You cannot start dealing with all of them at the same time. Customize your processes tailored to your business.
The most common areas where you have to pay attention are:
- HR processes. This is the area within the organization that deals with the most confidential and personal data that hackers are after. It is essential to do data classification for your organization to check where you handle most of the sensitive data.
- General application security. With digital workplaces, developer tools, and collaboration software, your staff downloads and uses apps and services all the time. It is basically impossible to rule out shadow IT, that is downloading apps without the knowledge of the IT department. However, if you have general policies aimed at using apps, that might help to mitigate the risks.
- Network security and device management. Managing networks and using internet securely in the office is a priority for all companies. Keeping track of company-owned and personal devices is also essential to get protected from security threats.
- Respecting the privacy of customer and staff data by having the clear consent of the data owner.
- Physical security. This is often neglected but is essential. Leaving devices unattended or documents around can result in serious information leaks.
Pro tip: Tailor the content to the audience: senior managers, IT staff, and end-users all have different relationships to information systems and different motivations to adhere to company data protection policies. For example, engage your senior management by informing them about the consequences of data breaches or leaks.
Don’t forget it’s a process: PDCA.
Cybersecurity and privacy awareness is never a completed task but a process you should improve constantly. The basics of process management provides helpful resources for this. The Plan, Do, Check and Act (PDCA) method is especially useful for information security management.
Pro tip: Always measure the effectiveness of your education efforts. For example, if you perform a phishing test, you will have a percentage of users failed. After this, use the PDCA approach to Plan what and how to improve, Do the necessary actions and Check back, that is re-run the phishing simulation in a couple of months time to reassess the organization and Act accordingly. This way, you can set measurable goals and your management will also see the effectiveness of the program.
About the author
|Zoltan held various compliance assurance, information security, audit, and operation support positions at IBM before joining us as Information Security Officer. Now he is working on further improving our internal security policies as part of our ISO27001 certification process.|