The news has been abuzz recently with two big cybersecurity-related announcements.
- A bug in Apple’s Group Facetime capability, that was discovered by an Arizona teenager, which allowed a user to hear audio and see video of the person that was being called without their knowledge, was ironically announced on Data Privacy Day. (Note: the web site MacRumors has an excellent 2 minute video illustrating the bug.)
- Apple made a second security announcement that it had temporarily revoked Facebook and Google from distributing controversial traffic-capturing applications via an employee-only distribution system for Apple’s developer enterprise program. The Facebook tool, Facebook Research, and the Google Tool, Screenwise Meter, were discovered by TechCrunch. Facebook’s tool was aimed at teenagers and paid a user $20 a month to allow the company to track their personal information, as well as their phone and web usage. Google’s tracking tool offered users gift cards for loading a VPN application for the monitoring of their web usage.
What has also made news about these two incidents was the public black eye all the companies have taken as more people become aware of the lack of privacy and security in relation to their digital identities.
- Apple was slow to respond to the reporting of the bug, which was shared with the company back on January 20th, even though it clearly placed users at risk.
- Facebook and Google are being called out for another privacy-related incident in which they seemed to have played outside the rules to capture personal information and habits, putting profit over privacy protections.
These two incidents were clearly focused on individuals and their digital identities and footprints. However, they should also give pause to companies. We know that a person’s digital habits are constant – how a person uses digital technology does not differ between home and work life. So, if a person is lackadaisical with their digital hygiene at home, they will most likely do the same at work. This is especially true if your employees are allowed to use personal phones, tablets or laptops as part of their work (remote employment, work from home days, etc.).
As the Technical Director at Global Learning Systems, a 100% remote work environment, my team and I know this well. Supporting employees across multiple continents can be a challenge. What have we found to be best practices in relation to creating a secure digital work environment for our staff that carries over to their personal cybersecurity habits?
- TRAINING – I cannot stress enough how important this is. For example, with a 100% workforce, GLS cannot take advantage of common security practices, such as running clean desk audits. Training your employees on the information and data security standards and regulations related to their jobs is critical, as it empowers them to take responsibility for their activities, even if you are not monitoring them 24×7.
- Information Security Program (ISP) – Your ISP is a documented roadmap for your employees. It lays out the best practices and expectations in relation to information and data security. It acts as a knowledge base and a primary resource in your organization. Make sure you have one in place.
- Communication – Turns out, your employees are not mind readers. You must communicate your cybersecurity and compliance standards, as well as best practices and expectations. You should do this on a continuous basis.
- “Open Door” Policy – Your employees should always feel free and confident to ask questions and raise concerns, especially in the realms of information and data security. You should receive these inquiries in a non-judgemental way. Take these as opportunities to teach and reinforce.
- Correct and Explain – If you have an employee who does not follow the rules, correct the behavior immediately, but also take the time to explain. Employees need to understand their place in the security and compliance of your organization. Some rules and protocols seem silly and or unnecessary if you do not fully understand the need for them. For example, I recently had to speak to an employee about a protocol they failed to follow. The person was dismissive at first until I explained why the protocol was in place. After that, this person became an ambassador for helping spread the word about the protocol and its importance. This never would have happened if I had simply told the employee “do as you are told” with no discussion.
- Be a Role Model – Never put your employees in a situation where they are expected to “Do as I say, not as I do”. If you are not following protocols, why would you expect them to do so? Employees should be able to look to others in the organization as examples of how to do it right, 24×7.
If you are concerned about your employees’ personal cyber security habits at work and at home and the impact they can have on your company, here are a few resources that may help.
- Review the webinar, Developing Security-Minded Employees for Defense Beyond Organizational Boundaries. It is a great resource for practical steps for maturing your security culture and tailoring it to your organization.
- Request a free copy of the Gartner Research Note, How to Secure the Human Link. It includes information on
- Nurturing a holistic cyber secure personal lifestyle
- Committing to training and reinforcing good employee cybersecurity awareness behavior
- Trusting, but verifying, employee’s online behavior.
- Check out Leading a Secure Organization, a new course from GLS. It includes modules on Data and Devices, Organizational Cyber Risks, and The Human Firewall.
- Learn more about our Cybersecurity Beyond the Workplace course modules for keeping employees and their families cyber safe.
Announcements like those from Apple, Facebook, and Google will continue to happen. That is the nature of the times in which we find ourselves. However, an investment in time and resources to improve employees’ overall personal cyber security habits is essential to building your Human Firewall.