​Every organization’s IT department manages the daily computer issues that arise, from lockouts to hardware issues. Just as we provide working computer keyboards and reset passwords when they’ve been forgotten, we also manage the overall online security environment as well. These three things are the bread and butter of employee security practices for any organization: 1) safe email procedures, 2) protected computing devices and 3) credential management.

​Let’s look over each one, and then consider a few obstacles to success.


Safe Email Procedures

​One 2016 report found that an astounding 91 percent of cyber-attacks came by way of email. This means that sending secure email is a vital concern for all companies.

​Sending an unencrypted email has been compared to sending a postcard – there’s no barrier to anyone simply picking it up and reading it. But companies are required to guard proprietary information and personal information, including personal medical, education, employment and financial details. Not only do federal and state laws mandate that such personal data be kept private, but new, stricter regulations are emerging, such as the European Union’s General Data Protection Regulation (GDPR), due to take effect May 25, 2018.

​What are our options in meeting these requirements and keeping our customers’ trust? Ultimately, any email with sensitive information is safest when encrypted. Encryption protects the data from sender to recipient.

​There are various means of email encryption for your IT and data security departments to consider. OpenPGP, one of the most common types of encryption software, is available for all operating systems and based on PGP (Pretty Good Privacy), a commonly used encryption format. Gmail uses TLS (Transport Layer Security) encryption as their default – unless the other email user doesn’t use TLS, in which case the email in question will bounce. What’s more, the Gmail document will still be scanned for marketing keywords. Outlook, Amazon WorkMail, Zoho Workplace and Fast Mail are popular business email platforms that offer multiple security features. Tutanota and Protonmail both provide free email encryption with appealing features and strong reviews.

​No matter which software you ultimately wind up selecting, remember the bottom line: Encrypt all email if possible.


Protected Computing Devices

​The same principle holds true for computers, phones, laptops and other devices: All of them should be encrypted. This is especially true if employees take devices home or on trips, which increases the risk of loss or theft.

​The good news is that the latest smartphones are already encrypting data for us. Android 5.0 and above offers full-disk encryption. If you use an iPhone 3GS or later, you can encrypt your phone by setting a passcode via the settings included in your smartphone.

​There are dozens of full-disk encryption (FDE) software options for desktops and laptops, many designed with businesses in mind. Best known is BitLocker, which is built into Microsoft Windows. Although full-disk encryption may slow your computer down some, it may well be a worthwhile price to pay to protect sensitive data.


Credential Management

​The final recommendation relates to passwords: Rather than leaving how employees handle passwords to chance, IT professionals should engineer a secure way for storage and recovery. Access to passwords may be granted based on work roles and need-to-know, improving security overall. Some well-rated password managers include Dashlane, LogMeOnce, Keeper and KeePass. You also must decide if or to what extent you trust cloud-based services with your passwords. Some disk encryption software packages also include password generators and storage.


Obstacles to incorporating security

​Security measures are like an insurance policy. While insurance might help mitigate damage, it’s not an absolute guarantee that damage will never happen. Similarly, security practices won’t prevent all hacking, but will reduce exposure to risk. Even after tracing the data footprint of a company for every data transmission and storage event, vulnerabilities will still exist – if only for the fact that, at the end of the day, all companies work with human beings, and human beings will always be somewhat inconsistent in using technology.

​When people don’t understand a security measure, they will be less inclined to adopt it. Today, virtually everyone locks their phone, and there are multiple ways to do so: fingerprint, passcode, voice, even facial recognition. But only a few short years ago, people didn’t lock their phones at all, simply because they didn’t see the need. As soon as the need was apparent, however, software designers adapted the design in such a way that combined security and ease of use.

​In the same way, your company’s IT department should make sure employees understand and buy in to the system so they will utilize the tools. When you educate your workers on the risks of hostile cyber activity that could damage your enterprise, they’ll see that security is their job and that their company depends on them. In turn, the IT department should strive to design systems that are both straightforward and secure.