How to improve data security across a remote workforce: a lesson in security training
To protect against cyber security threats, every organization should view their workforce as the first line of defense. After all, many security incidents are caused by human errors, such as becoming a victim of a phishing attack, sharing sensitive information with the wrong recipient, or accidently installing a virus on a shared drive. No matter how many organizational and technical protection measures are in place, human errors can never be entirely ruled out. Therefore the workforce is an essential line of defense.
At Zivver, one of the leading secure communication companies in Europe, we work diligently with our Security Team to make sure that everybody in the organization is and will be fully aware of the security threats they face at work. Security should be completely embedded in our DNA. To help achieve this we initiate many different activities throughout the year to foster a strong culture of security awareness for the entire workforce.
So what is the best way to raise security awareness? Most organizations adopt a one-size fits all approach. They create generic flyers, presentations and even online modules to educate everybody in the organization the same basic best practices on security. This is, of course, better than doing nothing. Recipients of this approach, however, are often not very engaged with the training and unlikely to remember the key take-aways. Some might even consider these standard awareness sessions as annoying or as a mandatory, time-wasting activity.
Making security awareness part of your company’s DNA!
At Zivver we have a few guiding principles for our security awareness program:
Know your target audience group and make sure the awareness topics/materials are tailored to their interests and needs. For example, a specific security risk for your tech team might be the installation of malicious software, where social engineering would be a more likely risk for people that work at, for example, your support desk or in your marketing team. Understand the differences in approach and required level of detail and make sure that you show everyone the specific security risks that are relevant in their daily work.
Discuss and highlight specific examples of what could go wrong (or has gone wrong in the past) and how to act. The ‘how to act’-part should be specific enough for every individual, so that everyone is well prepared and feels comfortable to act accordingly should a threat materialize. To achieve this, make sure that you clearly and specifically explain the risks you have identified and why certain actions are required in this respect. Their understanding of these risks will help them to ‘spot’ these or related risks during their work, during new projects and even in their private life.
Create a fun, repetitive program. If you do one-off events, such as an annual session, this may briefly raise general awareness, but the key take-aways would likely not be retained. Any knowledge gained would probably soon fade. It is therefore recommended to make sure to repeat the awareness actions frequently, even better to integrate them in everyday tasks. Be creative in your approach and create a repetitive program that you can roll-out during a full calendar year. Consider for example a social engineering protocol for the support desk, a brief security risk assessment in every project template or a warning when sensitive information is attached to an email. Other examples to engage people include: organizing a security quiz, storytelling (share security incidents and follow up actions within teams) and a wall of fame for those who have made contributions to improve the internal security.
Create a culture in your organization in which everyone shares and feels accountable for security and promoting security awareness. Make it OK to point a colleague to the clear-desk policy, to dispose of some left-behind papers with sensitive information in the shredder. Encourage people to ask the IT department for help if they receive a somewhat suspicious email. Create an environment to discuss security concerns and incidents openly.
Zivver aims to instill a strong culture of security awareness for its own staff while also helping customers increase their own awareness through the use of Zivver’s secure email solution. Zivver will alert users before an email is sent if it contains sensitive information. These caution warnings reduce the likelihood of selecting the wrong recipient or sending sensitive information in an unsafe manner.
Interested in how Zivver can help you raise awareness during the everyday task of sending emails? Check out our detailed information page on secure email and file sharing.