The Critical Role Employees Play in Company Security

I’m often asked about what measures companies can take to improve their information security, but I’m rarely asked about other factors that affect security. As I recently outlined in an article on Infosec Island, employees also play a tremendous role when it comes to ensuring a company’s security.

Even the most intricate and well-planned framework can fall apart when it comes down to execution at the employee level. All it takes is one response on a phishing email or one Post-It note with a password written on it to compromise the entire organization. That’s why it’s incredibly important that employees are not only educated about proper security protocol, but that they feel empowered to make suggestions and raise concerns.

First, employees should have a firm grasp of potential risks—like phishing attacks, password security, and equipment protection—and that education effort should be ongoing. Threats are constantly evolving, and only by providing continuous training can companies ensure that employees are prepared with the most up-to-date information.

Second, creating a company culture that emphasizes communication when it comes to security is critical. One person, whether it’s the fractional CISO or another team member, simply isn’t capable of knowing all of the details and minutiae of each department and its processes. If an employee has found a potential gap in company security or has questions about procedures, this should be treated as a learning opportunity for everyone at the company, and it helps to improve overall security. By collecting all of this information, the security team can develop and implement a strategy that better educates and protects the employee and the company as a whole.

Security is a responsibility for every employee, not just the responsibility of the information security team. Emphasizing the need for employees to be proactive and raise concerns before they become problems goes a long way toward reducing the risk of a breach.