With what seems like a constant stream of data breach headlines, security is top of mind for many companies, some of which are having to think about it for the first time. The truth is, it’s a company-wide commitment to ensure overall security. While you might ask what role you could play in that world, there are a number of steps you and your fellow employees can take to help keep threats at bay.
1. Get familiar with your company’s Chief Information Security Officer (CISO)
It’s obvious but bears repeating: it is the Chief Information Security Officer’s job to ensure the security of the company and its employees. Too often, employees feel the security team is an entirely separate entity, but this is the type of culture that needs to be addressed and unified. Security is one aspect that touches every part of a company, and only by hearing concerns from employees at every level and in every sector can a CISO effectively develop a strategy that addresses every facet of a company. Perhaps you recently encountered something that you feel could be a good learning opportunity for others in the company, or you have questions about how to properly apply the security procedures in some particular situation. The constantly evolving nature of security means that a CISO can use all of this information to build a security strategy that better educates and protects the employee and the company as a whole. Whatever is may be, those doors should always be open for discussion.
2. Actively participate in ongoing security trainings
Just as a company would perform drills to prepare for potential disasters, it also needs to train for security threats. Keeping a steady drumbeat of these drills will pay off in the event of a potential attack. Each employee should have a general understanding of where these risks lie and should be well versed in things like avoiding phishing attacks, creating a secure password, and properly protecting equipment like laptops and USB drives.
These types of drills might include deploying a company-wide “friendly” targeted phishing attack using publicly available information. The key point of this exercise is to create a level of exposure in a safe and secure environment, as opposed to trial by fire. Human error is unavoidable, but by simulating an attack, employees can learn how to quickly and effectively respond as a unified team.
3. Speak up before it’s too late
This is where every single employee in a company needs to take accountability. No one security agent can oversee every person and every process in a company, and individuals may even be more aware of potential gaps in their department than the security team. Being proactive and raising the concerns you have about the security of your immediate work environment, team, or department helps the security team address threats before they evolve into something worse. This brings me back to point number one. Establish that relationship with your CISO so when you do recognize a potential threat, those conversations are more likely to happen before it’s too late.
4. Understand that you are critical to your company’s security
Everyone in the company can be a security agent for their company. However, the further an employee is from the core business functions of the company, the less aware they tend to be of the critical role they play in company security. Someone in HR scanning new hire documents for employee folders might consider themselves fairly removed from security procedures, even though they’re handling documents that may contain highly sensitive information like salaries, social security numbers, or other important data. A breach that targets this information could be catastrophic and would put the company in violation of strict regulatory requirements like HIPAA and GDPR.
While I do understand that learning these measures can feel like an entirely new job in and of itself, by taking these small and manageable steps, you can help build and maintain a security system that is intact from end to end. By keeping these things top of mind, you and your fellow employees can help your company avoid catastrophic data breaches and protect your own personal data more effectively.
About the author: Tomáš Honzák serves as the head of security, privacy and compliance at GoodData, where he built an Information Security Management System compliant with security and privacy management standards and regulations such as SOC 2, HIPAA and U.S.-EU Privacy Shield, enabling the company to help Fortune 500 companies distribute customized analytics to their business ecosystem.