IT Best Practices: Three Security Essentials for Your Employees
By JHickman, Technology Operations Manager - Article on April 20, 2018
- Compliance and Risk
- Cyber Security
- Data Privacy
Every organization’s IT department manages the daily computer issues that arise, from lockouts to hardware issues. Just as we provide working computer keyboards and reset passwords when they’ve been forgotten, we also manage the overall online security environment as well. These three things are the bread and butter of employee security practices for any organization: 1) safe email procedures, 2) protected computing devices and 3) credential management.
Let’s look over each one, and then consider a few obstacles to success.
One 2016 report found that an astounding 91 percent of cyber-attacks came by way of email. This means that sending secure email is a vital concern for all companies.
Sending an unencrypted email has been compared to sending a postcard – there’s no barrier to anyone simply picking it up and reading it. But companies are required to guard proprietary information and personal information, including personal medical, education, employment and financial details. Not only do federal and state laws mandate that such personal data be kept private, but new, stricter regulations are emerging, such as the European Union’s General Data Protection Regulation (GDPR), due to take effect May 25, 2018.
What are our options in meeting these requirements and keeping our customers’ trust? Ultimately, any email with sensitive information is safest when encrypted. Encryption protects the data from sender to recipient.
There are various means of email encryption for your IT and data security departments to consider. OpenPGP, one of the most common types of encryption software, is available for all operating systems and based on PGP (Pretty Good Privacy), a commonly used encryption format. Gmail uses TLS (Transport Layer Security) encryption as their default – unless the other email user doesn’t use TLS, in which case the email in question will bounce. What’s more, the Gmail document will still be scanned for marketing keywords. Outlook, Amazon WorkMail, Zoho Workplace and Fast Mail are popular business email platforms that offer multiple security features. Tutanota and Protonmail both provide free email encryption with appealing features and strong reviews.
No matter which software you ultimately wind up selecting, remember the bottom line: Encrypt all email if possible.
The same principle holds true for computers, phones, laptops and other devices: All of them should be encrypted. This is especially true if employees take devices home or on trips, which increases the risk of loss or theft.
The good news is that the latest smartphones are already encrypting data for us. Android 5.0 and above offers full-disk encryption. If you use an iPhone 3GS or later, you can encrypt your phone by setting a passcode via the settings included in your smartphone.
There are dozens of full-disk encryption (FDE) software options for desktops and laptops, many designed with businesses in mind. Best known is BitLocker, which is built into Microsoft Windows. Although full-disk encryption may slow your computer down some, it may well be a worthwhile price to pay to protect sensitive data.
The final recommendation relates to passwords: Rather than leaving how employees handle passwords to chance, IT professionals should engineer a secure way for storage and recovery. Access to passwords may be granted based on work roles and need-to-know, improving security overall. Some well-rated password managers include Dashlane, LogMeOnce, Keeper and KeePass. You also must decide if or to what extent you trust cloud-based services with your passwords. Some disk encryption software packages also include password generators and storage.
Security measures are like an insurance policy. While insurance might help mitigate damage, it’s not an absolute guarantee that damage will never happen. Similarly, security practices won’t prevent all hacking, but will reduce exposure to risk. Even after tracing the data footprint of a company for every data transmission and storage event, vulnerabilities will still exist – if only for the fact that, at the end of the day, all companies work with human beings, and human beings will always be somewhat inconsistent in using technology.
When people don’t understand a security measure, they will be less inclined to adopt it. Today, virtually everyone locks their phone, and there are multiple ways to do so: fingerprint, passcode, voice, even facial recognition. But only a few short years ago, people didn’t lock their phones at all, simply because they didn’t see the need. As soon as the need was apparent, however, software designers adapted the design in such a way that combined security and ease of use.
In the same way, your company’s IT department should make sure employees understand and buy in to the system so they will utilize the tools. When you educate your workers on the risks of hostile cyber activity that could damage your enterprise, they’ll see that security is their job and that their company depends on them. In turn, the IT department should strive to design systems that are both straightforward and secure.
It is time to re-examine the way that we think about and what we expect from organizations impacted by cybersecurity breaches. A frank conversation on the responsibilities of company leadership, for both the C-Suite and the board, is long overdue. An organization’s responsibilities around consumer privacy in many ways remain somewhat ambiguous. Only by creating and upholding a consistent standard can corporate America ready consumers for the risks inherent in 21st-century levels of connectivity.
Data losses, including the exposure of personally identifiable information (PII), happen. Whether the exposure is on a piece of paper left on a printer or a system being hacked, having a plan helps ensure a thoughtful, speedy and compliant response.
Employees are the lifeblood of your business, but it’s no secret that finding and retaining the best workers is a challenge. At the same time, employees’ identities are at growing risk for theft in new and dangerous ways. In today’s competitive marketplace for talent, leading employers are seeking ways to get the most from their benefits dollars. MyIDCare Employee Benefits is the only identity protection benefit that safeguards your employees from all types of identity theft. By offering MyIDCare, your employees will know you value their overall well-being and appreciate the peace of mind that only complete identity protection can provide.