Five strategies for creating a culture of information security
Data protection has historically been viewed as a function owned by a few individuals, or the domain of the IT department. However, it is vital that all employees share the responsibility of preventing and mitigating information security breaches.
When an organization creates a corporate culture dedicated to data protection, it provides more disciplined operations, increased customer and stakeholder trust, and minimized risk.
One of the best ways to reduce risk is to implement regular and comprehensive training programs for all employees on the right way to manage, store and destroy physical and digital data. According to the Shred-it 2016 Information Security Tracker Survey, 78 percent of U.S. Small Business Owners and half (51 percent) of C-Suite report that they only conduct employee training on their company’s information security procedures once a year or less. Furthermore, 28 percent of U.S. Small Business Owners report they have never trained employees on how to comply with legal requirements or company information security procedures, and 2 percent only conduct training on an ad-hoc basis.
These results demonstrate that U.S. companies are not prioritizing employee training in their fight against fraud and data breaches. Without effective training repeated throughout the year, employees can unintentionally expose their organizations to serious risks including theft, fraud, data loss and reputational damage.
Senior management must help their teams become more aware of the risks associated with mishandling confidential information. Regular training provides all employees the knowledge and skills to protect organizations from serious risks. It also serves as an important reminder to employees to follow company information security policies and procedures.
The following measures can help ensure employees have a solid understanding of company information security policies, procedures and best practices
- Commit to a Culture of Information Security: When management demonstrates a commitment to information security, employees are more likely to follow suit. Consider asking employees to take a pledge to make their workplace a more secure environment. Display the pledge in various locations throughout the office. To encourage participation from all areas of the business, consider appointing employees from a range of departments to participate on a committee focused on improving information security practices.
- Repetition and Frequency is Key: Training should occur throughout the year and include various modules on organizational information security policies. Consider a "multichannel" approach utilizing a mix of in-person and digitally-delivered video training content to ensure employees are aware of how to handle and dispose of confidential information.
- Out of Sight, Out of Mind: Place visual cues throughout the office to remind employees of their responsibilities in protecting confidential information. Reminder posters, such as this series of office security posters from Shred-it that targets common workplace errors and areas that increase the risk of a data breach.
- Go where your Employees are: A growing number of employees are now working outside of the traditional office environment. Ensure training addresses the safe destruction of confidential information for both office and remote workers. Also leverage internal newsletters, intranet news feeds, employee and corporate social media accounts to provide constant reminders about different aspects of information security that employees can access regardless of their location. Keep the information short to make it more digestible.
- Embed it: Make security best practices a seamless part of daily tasks. Implement a Shred-it all Policy, which requires all documents to be destroyed once no longer needed and a Clean Desk policy which encourages employees to clear their desks and lock-up documents and small digital storage devices when they leave their workstation at the end of each day or for extended periods of time. When these policies become common practice, there is little decision left to employees on what should and shouldn't be destroyed. In addition, all shredded paper is recycled, adding an environmental benefit to a security solution for businesses.
A well-trained workforce is essential to protecting organizations from a potentially damaging breach. When all employees understand how to manage and identify privacy risks, business leaders are in a better position to protect their customers, their reputation and their people.
Photo credit: Jason Salmon / Shutterstock
Andrew Lenardon is Global Director at Shred-it International and has been a leader within Shred-it’s National Accounts team since 2006. Prior to Shred-it, Andrew worked with national and international brands including Canadian Tire, Whirlpool, AT&T and Allstream in Marketing and Sales leadership roles. While at Shred-it, Andrew has led teams responsible for National Accounts business development and account management across the Commercial, Healthcare and Government verticals. Andrew and his family live outside of beautiful Toronto, Canada.