Your employees are smart, that’s why you hired them. Unfortunately they sometimes apply those creative problem solving skills in ways that might compromise the security of your company’s data.
We often think of breaches stemming from malicious behavior, but risks can also occur when employees are simply looking for workarounds to address the limitations of the technology at their disposal. Whether it’s creating an Outlook rule to forward work mail to a personal device or using an unsecured file transfer system because it’s more effective than what the company provides, these employees are adept at getting past restrictions so they can work the way they want to.
Luckily, many of these common threats can be addressed through effective communication and standardization around approved, secure technologies.
Step 1: evaluate the risks
Your first move should be to take stock of how your employees are currently using technology in order to identify behaviors that may pose a security threat. Many of these risks are tied to the way files and information are transferred, stored and shared, so it is especially important to evaluate how information moves through—and out—of your organization.
For instance, how do your employees currently send files that exceed the file size limits of your corporate email system? Are they using a personal cloud-storage service such as Dropbox, Google Drive or OneDrive? Are they physically transferring files via unsecured USB drives? Employees may feel that these processes are a necessary part of getting their jobs done, but it also puts company information outside of any security systems you have in place.
The best way to learn how your employees work with technology is straight from the horse’s mouth. Ask them about the processes they are currently using and make it abundantly clear that they will not be in trouble if everything they’re doing hasn’t received the company stamp of approval. It’s crucial that you’re able to get an honest assessment of the situation, so your workers must feel free to share without fear of reprisal.
Step 2: work together to find solutions
When you have a handle on how things currently work, you can set your sights on how they should work. Understanding the frustrations that employees feel about the technology you provide will help you get at the root of their risky behavior.
Soliciting feedback can go a long way towards identifying common pain points that cause workers to circumvent your security. Involving them directly in the selection of technologies that you will use to address those frustrations will have the added benefit of greatly increasing the likelihood that they actually want to use the tools you provide.
One area where your workers are likely to have strong opinions is how they access emails and company files on personal devices. The “bring your own device” trend has become an accepted norm, as evidenced by a 2014 study which found that nearly 60 percent of workers access company networks through personal devices. If employees are doing this surreptitiously, it may be because they are wary of handing over authorization to wipe all of the data on their personal device. Working with your IT team or managed services provider to implement a mobile device management suite that uses app containers to only wipe corporate data in the event of loss or theft is a good example of a solution that strikes a balance between employee concerns and security needs.
Step 3: educate and maintain an open dialog
You’ve developed an understanding of the risks within your organization and decided on what technologies and policies to implement in addressing them. Your final step is ensuring that these changes stick and that your employees don’t slip back into bad habits. It’s vital that you train them on any new tools you’re providing to increase the probability that they actually get used.
Many of your employees are likely unaware of the threats their behavior can pose, so educating them on security best practices can also help curb misuse. It’s important to keep in mind that the needs of your employees and your organization are fluid and this is an ongoing process. Ensure that all new hires are trained on security policies and schedule yearly refreshers to keep current employees up to speed and identify any new technology challenges they are facing.
Evaluating and addressing your risks through this worker-centric lens will not only fortify the security of your organization, it will also increase employee satisfaction with the technology you provide and make them more productive. Ultimately, remember the best way to keep your employees from going around your security is by providing them with solutions that make it unnecessary.
Ready to start rooting out risky behavior within your company but don’t know where to get started? Our small business experts can handle all the heavy lifting for you so you can focus on what makes your business great.