You are here

10 steps to doing security from the inside out

public://webform/writeforus/profile-pictures/aaeaaqaaaaaaaahzaaaajgy1nznhowu1ltfhmtitngzkoc05nzeylwnmoty1nzfizgq2yg_0.jpg
Bart Westerink, Senior Director of Security and Compliance, CloudPassage

With the intense focus on external bad actors, it can be easy to overlook one of the greatest risks to an organization’s security: its own employees.

While most organizations provide employees with an employee handbook on their start date, a comprehensive security policy is just as important. Here are the top ways you can ensure that your organization stays secure from the inside out. After all, a careless employee can become a compliance nightmare, while an observant employee can be your best asset.

[ Explore the challenges and opportunities facing SOCs in TechBeacon's new guide. Plus: Get the 2019 State of Security Operations report. ]

1. Establish a thorough security policy (and enforce it)

Review your company’s employee security policy. Are employees required to take a security awareness training course based on this policy each year? Does the security policy cover safe device use, including laptops and phones? Do employees understand the importance of safeguarding printed materials or of notifying the security team of suspicious activities?

2. Educate as a team

Don’t leave security to the IT professionals in your office. Create a culture of security where awareness extends beyond the mandatory training and is ingrained in the workplace culture—from interns to executives. This will save headaches in the long run.

[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]

3. Work on your passwords

A poorly designed password does little to protect intellectual property or data from attack. Make sure employees have passwords that are strong enough to withstand attempted breaches. Given that passwords should not be reused across multiple sites, recommend that employees use a password manager. Use two-factor authentication for sites that support it.

4. Restrict devices

Setting up device restrictions and enterprise mobility management systems is an important way to secure company property against dangerous downloads and other nefarious actors lurking on the web.

5. Keep software updated

This should be an immediate, mandatory requirement. Employee laptops and mobile devices require a constant stream of updates to keep them secure. Systems that aren't inventoried or actively managed are vulnerable to breaches and attacks. In most cases, system management tools can be used to push patches remotely. However, employees still play an important role in keeping their systems and devices up to date.

6. Emphasize security over productivity 

Employees have reported being willing to cut corners on security to improve their productivity. While the sentiment comes from a good place, creating a culture that applauds efficiency above all leaves far too much room for risk.

7. Don’t leave a paper trail 

Carelessly leaving paperwork on a printer is a great way to unwittingly share confidential documents. Make sure employees understand the importance of safeguarding sensitive documents—even within their own office environment.

8. Beware of the little black book

Former employees can be a security risk if they’re allowed to leave with intellectual property. And in fact, many employees believe that’s it's perfectly all right to walk away with documents. Make sure they are aware of what is and is not acceptable to take upon exit.

9. Don't expect employees to bring their own security

If an employee chooses to use his or her own phone or laptop as a work device for the sake of convenience, be sure to have a backup plan in case the device is lost or stolen. Mobile device management tools that enforce encryption and support remote wipe capabilities aren't options—they're necessities.

10. No tailgating

Employees must understand why it's unsafe to hold the door open for others without knowing whether those persons have a keycard. The urge to be polite can lend itself to dangerous situations.

A successful security policy starts with your employees. Make sure your organization is practicing these ten steps so that you can focus your attention on external threats and rest easy knowing you're secure internally.

[ Find out how to take control of credentials privilege in your organization in this Oct. 31 Webinar. You'll learn best practices, more. ]