Technology Is Not Enough to Secure Your Network: You Need IT Security Policies and Training
Many small businesses rely on IT security technologies to protect their sensitive information, but just having technical controls like antivirus software, firewalls, and intrusion detection isn’t a total solution for IT security. Business owners should be aware that having comprehensive security measures means protecting against both external and internal threats, many of which involve administrative or procedural areas.
External Security Threats
External threats, such as malware, spam, phishing attempts, and hacking are usually the most obvious dangers that come to mind when we think of potential security threats—and they are handled by IT professionals (such as RED74) who use sophisticated security breach prevention and detection methods. Even with these efforts, however, there is no guarantee of total IT security. Maintaining optimal security requires that employees are properly trained and held accountable on the job, and that adequate security policies are in place, understood and enforced.
Internal Security Threats
While commonly overlooked, Internal threats such as human error, general negligence, and malicious intent, pose a great threat to businesses as well. Intentional or not, insider attacks are the leading cause of data breaches and can cause just as much damage as outsider attacks.
Most security breaches today take advantage of social engineering or human error within your company. Social engineering remains a leading cause of security threats facing organizations, and is fairly difficult to identify. It has become an increasingly popular means by which attackers gain access to and control of insider information. Employees must be aware of the highly sophisticated ways by which they can be tricked into breaking standard security practices. Falling victim to social engineering can be prevented with proper training.
Negligence can come in many forms—lack of security awareness, improper handling of emails containing sensitive information, ignoring security errors, accidentally deleting data, and unrestricted remote access or web browsing are all ways employees can compromise data privacy and security. Because technology solutions cannot effectively prevent a phishing attack from being initiated by an unaware employee, it’s crucial that all employees be mindful and aware to prevent oversight or carelessness on the job.
Further, there are no software or hardware fixes for stopping an employee from accidentally (or maliciously) knocking out a key business process or system. No employer wants to believe that an employee would compromise a system, but it’s a reality that has the potential to compromise a company’s entire system, causing permanent damage and harming the company’s reputation. According to the Cost of Data Breach Study from the Ponemon Institute, 25% of all data breaches in 2016 occurred as a result of human error. Worse still, the cost of lost business due to a loss in customers was the highest in the US at $3.97 million.
A good IT security consultant (like RED74) can help not only with technical solutions, but can help craft policies and assist with training as well. Business owners should re-allocate budgets if needed in order to provide adequate training for employees. It is recommended that employees receive consistent training that begins before they ever have access to your company’s data. In addition, training should be conducted on an ongoing basis. Annual training is recommended to keep employees up-to-date on industry developments or changing practices.
Good IT technology solutions are important, but they need to be backed by clear policies that come from executive level management. These policies need to be made available to all employees and communicated effectively. Further, they need to be enforced by all levels of management within the company to instill accountability. Businesses might also consider implementing an incident response team to respond to threats and violations of policies.
Beyond providing employees with training and implementing security policies, steps should be taken to minimize risk as much as possible. Businesses should conduct regular risk assessments that cover physical loss of data, data loss in transit, data corruption, unauthorized access of data, and any other scenarios that could cost the company permanent damage or loss of data.
Business owners should also proactively evaluate their relationships with vendors and suppliers to ensure that any business partners are also prepared to deal with protecting and securing any data they come in contact with.
You can also minimize risk by being aware of aware of laws that are pertinent to your industry. For example, the HIPAA Omnibus Rule holds both healthcare organizations and their business associates to the highest standards of protecting sensitive patient health information while imposing harsh penalties for those who engage in noncompliance.
While IT solutions are vital to maintaining a company’s data security, it’s equally important that businesses look to preventing breaches from the inside, too. By providing proper employee training, implementing sufficient security policies, and enforcing those policies, businesses can combat virtually all sources of system security breaches.