Information Security: Your People, Your First Line of Defense

CIOReview Team

A company can put together as many tech­nology solutions or policies as it likes, but, in the end, its people are the most important element in information secu­rity. If the employees in your organiza­tion don’t feel personally invested in im­proving your organization’s security, your defenses will always be lacking.

Firms that inspire in their employees a security mindset and personal sense of responsibility for keeping the busi­ness secure are definitely on the right track. According to research by Ponemon Institute, the average total cost of a data breach is more than US $3.6 million, and one in four organizations can expect to experience a breach. Also, cy­bersecurity breaches are only getting larger in terms of the number of files and accounts and people affected.

Your business may need to experiment a bit before dis­covering the secret recipe for turning your team members into information security advocates, but the effort is well worth it. At Robert Half, we’re taking steps to motivate our global employee base to view information security as a priority. We’re continually looking for new ways to engage our staff, so they want to get involved in helping the business adopt and apply best practices.

To turn your workforce into a team of information security advocates, you need to make security personal to them. This means helping them understand that lax security practices don’t just impact the mat work, they also hit the mat home.

One strategy we use to do this in our organization is our “Data Defenders” pro­gram. It gamifies security, and is designed to help employees feel more personally in­vested in protecting our company and its data and systems. Here are a few things we’ve learned so far from our work on this initiative that you might find useful as you create your own programs:

1. Build your Security Messages into your Culture

Our campaign focuses on educating people using every communication channel in our company—newsletters, posters, intranet sites, town-hall meetings, videos, an­nual trainings, and more. A multipronged approach to communication helps ensure we reach every employee in the format that speaks personally to them. They need to plainly see that the program you’re promoting isn’t just a mandate from IT or compliance, but a company wide ef­fort supported by business leadership. When profession­als observe their leaders and coworkers all striving toward a common goal, they often want to join in. And today, with so much news about data breaches in the spotlight, they can easily see the relevance and value in shoring up security efforts.

2. Forget a 'One-Size-Fits-All' Approach

Generic education about security doesn’t work. You need to tailor it, personalize it. That’s why we’re now experimenting with “personas” that represent different types of people in our company. The personas tie back to how people work, and what their roles are. We’ve identified the security risks for each persona - for example, the kinds of phishing an employ­ee in accounting might encounter and what people who fit those personas can do to help protect the company.

We’re just starting to introduce perso­nas as part of our annual security awareness training. But we think they re going to go a long way toward helping our employees make a strong connection between security risks and their day-to-day work experience.

3. Create Master Data Defenders

We’re now developing a "master" version of our Data De­fenders program where employees volunteer to take for­mal, specialized training to understand the security gaps and risks in their specific areas of the business. I would help them set goals, and once they achieve them, they would earn the designation of a "Master Data Defender." The company would recognize their success and provide them with a financial reward.

The whole idea of this master program is to encour­age employees who are already passionate about infor­mation security to learn even more, and then take that knowledge back to their department. They become our experts "on the ground," helping other employees become more security-minded.

4. Get Buy-In at the Top

I am convinced that no information security program will succeed unless a company’s leadership also feels passionate about the cause of improving security, and views it as a critical part of business strategy.

The good news is that top leadership, busy as they are, will likely be receptive. That includes the board of direc­tors. The 'National Association of Corporate Directors' (NACD) 2016-2017 Public Company Governance Survey found that almost one-quarter of boards are dissatisfied with the reporting that management provides on cyberse­curity. So, there is clearly an opportunity to reach out, and I encourage you to do so sooner than later. You also might want to consider enlisting help from internal audit leader­ship, given that they already have the ear of senior manage­ment and the board.

Information security risks are always changing, so your program must keep changing, too. Most breaches can be prevented if a human does something differently-not clicking on a link, not opening a suspicious attachment, keeping passwords secure, the list goes on. Our job is to equip our employees with relevant knowledge they can use to keep our business secure. Front line defense is ultimately the best offense in keeping your data secure.