The future of mobile security: How to keep your employees in-the-know
Enterprise security is a never-ending, high-stakes battle. Research from The Ponemon Institute shows the average security breach costs businesses $3.62 million.
Even with this huge financial incentive, companies can easily fall behind in keeping pace with evolving security trends. Cybercriminals, malware and other security threats are always finding new ways to compromise enterprise networks. The rise of smartphones and tablets has created a new dimension of security challenges related to mobile security.
It isn’t just mobile technology that’s prompting IT to account for new security considerations. The complications come from the fact that these endpoints are placed in the hands of enterprise employees, many of whom won’t be aware of the latest security threats or how their behavior could create vulnerabilities. With the majority of enterprise security breaches coming from human error or other employee behaviors, proper training is important — and with the state of enterprise security changing so quickly, this training needs to be repeated and updated on a regular basis.
Here are some strategies to help executive leaders implement training that educates employees and reduces the risk of a future mobile security breach:
Phishing and spam simulators
Clicking the link in an email seems like an innocuous action, but it’s the easiest way for malware to infiltrate an enterprise network. It has proven highly effective over the years, even as awareness of phishing and spam threats has grown.
The problem isn’t necessarily related to poor awareness of phishing. Rather, employees struggle with how to tell legitimate emails apart from phishing and spam attacks. When receiving dozens, if not hundreds of emails a day, it only takes one employee making one mistake for an entire company to be compromised. Tech Republic recommends conducting regular phishing tests that simulate a real phishing email attack, sending the content out to all company employees and monitoring how many workers click on the email link. After the simulation, the company can gather data on how and why the attack was successful, as well as other trends related to the security breach.
This data can then be presented in a phishing and spam training session where the company explains to workers what went right and what needs to be improved. By examining the mistakes that were made, employees can use the simulation to correct future behavior and avoid being compromised.
Threat reporting protocols
Phishing simulations can teach employees to better avoid breaches, but it’s inevitable that some employees will make simple mistakes that compromise the company’s security at some point. When that happens, the employee needs to report the issue… quickly. The best way to get this report into the right hands is by establishing a protocol for reporting potential threats.
Whether it’s a form to fill out or an IT point of contact to alert, employees should receive clear, simple directions on how to respond when they believe security might have been compromised. The security issue isn’t their problem to solve, but they can assist in the response by getting essential information into the hands of professionals who can quickly take action.
Your leadership will also need to support a company culture that encourages employees to quickly report mistakes, instead of fearing punishment. Though it’s obvious no company wants its employees compromising security, a quick response is essential to minimizing damages and data breaches throughout the network. PC Magazine recommends embracing a non-blaming atmosphere that doesn’t scapegoat one worker for making a mistake many others might have made. Make sure employees feel they can report security mistakes without the risk of punishment. Every second makes a difference.
Teaching security to remote workers
The rise of the mobile workforce is creating new security considerations remote workers need to understand. The Ponemon Institute reports that 45 percent of employees aren’t worried about the security of work-related data on their mobile devices. However, mobile endpoints are a major liability, and this is even more so the case when those mobile devices are outside the enterprise office.
Given that many office workers use personal devices they bring home in the evening, remote mobile hygiene is a training that applies to the vast majority of enterprise employees. Companies should provide regular training sessions that cover the proper use of devices as they relate to security, privacy and the protection of sensitive business data.
This training should be repeated periodically for workers to make sure they’re following company guidelines and to provide an outlet to update them on new security challenges and evolving concerns they should be aware of. Consider annual training to keep security issues top-of-mind. A business might also consider setting up a virtual private network to provide a security connection for employees working remotely.
Build channels for continued communication and training
Some security communications can’t wait for scheduled training sessions. When critical security information needs to be relayed throughout the enterprise, businesses should have a system in place to ensure everyone gets the message and has the opportunity to ask questions. A simple email blast isn’t enough. Enlist management throughout your departments to take the lead on relaying this security information. Consider running an executive training session on new communication concerns that can then be relayed through departmental meetings and trainings. Enterprise security is only as strong as the weakest link, so your company must get buy-in from managers throughout the organization for such a communication strategy to be effective in addressing security threats.
Accounting for new security threats always puts a damper on a company’s productivity, but it’s an unavoidable complication of conducting business in 2017 and beyond. Invest time and resources into ensuring your employees have all the tools and information they need to avoid security mistakes that put the company at risk.