The security of your information system is paramount, and the biggest threat to that security comes from the inside – from your own employees. This is why it is essential that your employees understand and know how to safely use computers. Failure to do so is a lack of due diligence on your part.
So, what should your employees know as a bare minimum? Here is a list:
- What type of information does your institution process?
- What are the employees’ basic responsibilities for information security?
- What are the components of the institution’s password policy?
- What are the security best practices that employees should follow?
- What constitutes a secure work environment?
- What type of threats should employees be on guard against?
- What are some common attack methods?
- What actions should employees take when an attack occurs?
- What are the institution’s email policies?
- What are the institution’s social media and web surfing policies?
It is crucial that employees understand the process of turning raw data into information and how that information is used by the institution to make important decisions.
Everyone who comes into contact with your system – including employees and third parties – should be viewed as a potential threat. That is why it is vital to have an information security plan in place and to make sure everyone is aware of it.
Every employee is responsible for computer security and the protection of your digital assets. Those who handle institutional data should be fully aware of their responsibilities. Employees need to be aware and accountable.
Each person in your institution should know how to handle a potential or actual attack and be security-aware. Otherwise, your employees will fail.
Everyone should understand how to maintain a secure workspace, such as removing sensitive papers from view and locking offices to prevent onlookers from observing screens and accessing terminals.
Creating and maintaining robust passwords or using multi-factor authentication should be common knowledge for all employees. Passwords should be complex and changed regularly. Your institution should have an ongoing digital security program and periodically evaluate it.
Security policies should align with industry best practices and be a part of each employee’s security awareness training. For example, employees should know to scan storage media from outside the office before introducing it into the information system.
Employees should be aware of common attack methods used by cyber-criminals, such as social engineering attacks disguised as innocent information requests over the phone.
Email policies are crucial for protecting sensitive information. Employees should know how to handle various situations that may arise and avoid clicking on malicious links that could compromise the entire system.
The use of social media and surfing the internet can create avenues for malicious users to access your system. Employees need to know what is considered acceptable practice when it comes to using internet resources to avoid liability issues or illegal use of your assets.
Protecting the confidentiality, integrity, and availability of your institution’s mission-critical information requires a formal information security plan and employees equipped with the tools to carry it out. Treating computer security as a business process is the key to keeping cyber-criminals out and ensuring the success of your institution.
