June 6, 2018
The “People” Component of your Information Technology Security Strategy

NBM is in the business of providing information technology security services, products and solutions to local businesses of all sizes.  Whether managed IT services, firewall protection, spam filtering, anti-virus software, security patch updates, system monitoring, or back-up software, these products and services enhance the security of your network, mitigate IT security incidents, and prepare your network against attack.

But what happens when you’ve prepared and invested in these IT security resources, but your network is still attacked? It happens more than you think. To steal a line from our IT Director: Security is not a product, but rather a series of products, processes, and implementation. There is no single product that can completely secure your network.   From our experience, it’s the “people” component of an information security program that puts most companies’ IT infrastructures at risk. You can spend money on IT security tools, but absent end user education on basic security threats all that preparation will have been for nothing.  All it takes is one employee clicking on a link in a phishing email to upend countless hours of preparation and thousands of dollars on IT products.

The solution: make your employees an integral component of your information security strategy. A member of our military would not prevail in battle without adequate training, no matter how sophisticated his weapons. An athlete will lose a big game if he hasn’t trained for it, no matter how expensive the equipment he is wearing in the game.  The same concept applies to protecting your IT infrastructure: training end users on your information security program should be an essential component of your information security strategy. After all, end users in your business are your first line of defense against any information security attack.  Here are our top 5 tips for incorporating your end users into your IT security strategy:

Train Employees on Basic Security Threats. Do your employees know not to click on a link in an email without verifying its origin, no matter how innocuous it may seem? No level of preparation or sophistication of IT security tools is adequate if employees are not regularly educated and trained on every day information security awareness.

Train Your Employees on Data Security Requirements. Do your employees know what a strong password consists of? Do they know not to send unencrypted emails containing personal information? Do they know how to send an encrypted file? Education of your end users is the key to protecting your business from data security breaches and the liability that ensues for your business.

Train Your Employees on the Importance of Physical Safeguards. You may have the most sophisticated two-factor authentication system in place, but if an employee leaves his passwords on a post it … on his desk … in his unlocked office or cubicle…then that two-factor authentication system is useless. Train your employees on the importance of physically safeguarding passwords and other confidential information.

Password Protect Personal and Company Devices. Employees may view their personal phone as just that; their personal phone. But if they are accessing company email or the company network – or if they store or have access to company information on their phone – it is imperative that each employee password protects the phone using a strong password and opts in their settings to auto lock the device after a certain period of time.

Put Your Security Plan In Writing. Massachusetts law requires that every company handling personal information of Massachusetts residents develop and implement a Written Information Security Program (“WISP”) to protect such information.  It’s the law to develop and establish information security policies and procedures, reduce those policies and procedures to writing, and most importantly: follow them.

NBM consults with businesses to help them make their employees an integral component of the company’s overall information security strategy. We work with businesses to develop, implement, and train employees on Written Information Security Programs. The best IT security strategies incorporate end users, making those end users an asset to your company’s IT security program and not a liability.

-Amie Geary, Corporate Counsel, NBM