5 Ways to Involve Users in Securing Your Network
Providing IT security training for your business end users is one of the best ways to prevent a security breach. Everyone who touches any type of device in your company needs training on how to use your corporate information systems safely.
Before beginning any user training, make sure your company has a written security policy in place that addresses:
- Acceptable Usage Policies (AUP)
- A Non-Disclosure Agreement (NDA)
- Password management
- Remote Access Policies
- Mobile/BYOD Policies
Having these policies in place will make security training and administration much simpler. All employees should be required to read and sign the security policy documents, but they also need to be enforced with training. Here are five ways to get buy-in from your users.
1. Provide ongoing security training.
All employees should receive network security training during their initial hiring orientation, but that’s not enough. Training needs to be ongoing because users need regular reminders and reinforcement of the importance of your network security. Whether it’s how to choose good network passwords or tips on recognizing the latest phishing schemes, all users need to be able to recognize possible issues and understand the best way to handle them.
Helping users stay ahead of hackers’ tricks is critically important to the security of your network. Hackers are constantly trying clever new ways to trick even the most sophisticated users into downloading their malware or responding to a hoax email. Regular security awareness training is key to keeping users alert to these threats.
2. Make security personal.
Network security may seem like an abstract concept to employees who aren’t responsible for your company’s technology efforts – so how can you make them care about your company’s security? Make it personal. Ask them if they use personal devices to make online purchases at home using a credit card and walk them through what could happen if they don’t take security precautions. Use that scenario to begin a discussion on the necessity of following security policies.
Help employees understand that their information, including details about their identity, is best protected when they follow security policies that keep the corporate network locked down. Network security impacts everyone who accesses your network and they need to fully understand that.
3. Be accessible to users.
Do your employees know who to go to if they experience a network security incident such as a suspicious email or an unusual pop-up window? Do they know who to bring security questions to? Inform them who to contact for all scenarios.
If you don’t have on-site IT support, be sure users understand how to contact support personnel through your provider. And while waiting for an answer from your security expert, it’s equally important that they know what to do – or not to do – during the wait time.
4. Tell users what actions to take and why.
Security awareness training should not only include information on how employees should respond to a security incident, but also how to avoid one by reacting appropriately. What should users do if they click an attachment that turns out to be infected? Do they call your security expert for help or should they take some immediate action with their computer on their own?
Running mock scenarios will help users gain confidence in knowing what to look for, what to do, and who to contact. Employees need to know how to react, including when to immediately shut down their browser windows or computers if necessary. Be sure discussions include email security, URL training and Mobile/BYOD security.
5. Make security as pain-free as possible.
Even the most thoroughly trained and well-meaning user might be tempted to circumvent your security measures if they’re difficult to follow, so make your policies easy for users to follow. Finding the right balance between security and user friendliness is important. Here are a few things that may help:
- Configure your applications to automatically prompt users to change their passwords on a regular basis.
- Make sure your anti-virus software updates automatically when it won’t interfere with employees’ workday.
- Don’t fault the user who reports a security breach. You want employees to feel safe so that they come to you with any potential security risk.
- Consider having a program that recognizes employees for making the right decisions.
- Host a security awareness week that includes distributing information, hosting Q&A sessions, and sharing stories of company security “wins”.
Security training can be done in multiple ways, including online classes or video training for new employees, and as part of staff or team meetings for ongoing awareness training. The end goal is for security awareness to be a two-way partnership between the end user and the company and something end users do without thinking about it.