In recent years, “cyber security” has been in the headlines almost every day. Companies continue to face an increasing number of digital threats that call for new ways to tighten the reigns on data privacy and security. However, organizations must go beyond just investing in expensive cyber tools and tackle the problem at its root.
Cyber security professionals have confirmed that employees are indeed the weakest link in the security chain. Contrary to what many companies think, targeted criminal attacks aren’t the most common causes of security breaches. Sometimes, it’s an employee falling victim to a spam email or poor data storage. Among the many problems faced by enterprises, a study conducted by Trend Micro found that business emails that had been compromised were top of the list, with global losses climbing to $5.3 billion since 2013.
To keep up with the rapid pace of digitization, companies must improve their policies and foster a workplace culture that puts a premium on data protection. Because in today’s digital economy, data privacy and security is everyone’s business — especially with regards to companies for whom public trust is of the upmost importance.
Transparency is key
New policies have been made to empower individuals and give back their power over personal data, like the EU’s General Data Protection Regulation. It gives users the right to review and erase their data at any time while promoting increased consciousness over what they consent to.
Companies that are not covered by the regulation or similar policies, however, can step it up and take initiative in transparency and accountability. Incorporate your organization’s commitment to data privacy and security in your mission-vision, and ensure it aligns with your corporate code of conduct. That way, it also acts as the pillars that your employees can lean on and a basis for all company policies.
Ensure that each employee is aware of their commitments as part of the company. With the globalization brought about by technology, they must be vigilant about local and international regulatory requirements. Being a global data citizen means having structured flexibility that transcends cultures.
For the message to truly resonate, you must be able to connect data privacy risks to their personal lives. Uber security program manager Samantha Davidson shared that the global ride-sharing company is doing this by creating programs catered to region, department, and role. “Our people understand that security is part of their story and culture,” she stated in an interview.
Therefore, work closely with internal teams, particularly the HR department, who can provide in-depth insights about your employees and their cyber behavior. Awareness efforts can be more creative than traditional posters and infographics, but should never be too complicated. Ben Laurie from Google Research warns, “Most people’s goal is not to be secure, but to get the job done. And if they have to jump through too many hoops, they will say, ‘To hell with it.’”
Implement and train
Now the goal is to increase your employees’ abilities to judge threats and the consequences that come with them. Maryville University highlights the difference between offensive and defensive cyber security strategies. The former consists of measures related to ethical hacking, testing your company’s existing cyber security infrastructure to see how much it can withstand. Defensive strategies, on the other hand, revolve around eliminating vulnerabilities and managing incident response and malware analysis. Companies must effectively discern which one is more appropriate for their needs. Is it prevention, something more proactive, or a combination of both?
One basic, yet important task for company leaders is to encourage cyber data literacy, especially with the wealth of jargon that is easily misunderstood. Consider implementing a 10-second countdown timer on emails to let employees rethink the information they send out and see if their behavior might put the company and its data at risk. Another way to gauge their online habits is to send out mock “phishing” emails to see who takes the bait. By doing this it will help teach them to be more wary and vigilant regarding random mail from unknown senders. As mentioned earlier, compromised business emails rank as one of the top internal company threats.
Considerations may vary depending on the nature of the business and department. So, businesses may opt to provide role-specific training. This procedure should never be a one-time thing. It should be maintained and reinforced to ensure that cyber security remains a top priority for the entire organization.
For businesses that employ third-party workers or contractors — whether they are freelancers, apprentices, or interns — must also understand the impact they could have on their company’s data protection policy. Clarify and articulate these through contracts or additional policies if needed.