In the last few years the job of the IT pro has expanded to new heights. As new innovations from storage to data privacy are created, IT pros are constantly having to add to their skillsets to keep up with the pace of today’s evolving technology landscape. For many IT pros it has heavily impacted their workload however it has also given IT pros a great opportunity to learn and develop. While nobody knows the value of time more than an IT pro, one of the most efficient ways to lighten the workload is to invest in educating employees about IT security.
This is largely due to the impact that the actions of uneducated employees have on the IT pro’s day. Every inadvertent or ill-advised click leads to IT pros having to spend time fixing the problem, or patching after a hacker gains access to the network due to an employee’s poor password protection. So why not try to eliminate this and save some time?
Educating employees on effective cyber-security procedures and basic steps on how to take care of IT equipment, as well as implementing software that can pre-empt mistakes made by employees, will ultimately save the IT department time. Investing in education employees about IT security could help you put more time back into your day and there are many ways this can be done.
Employees go rogue
BYOD is now widely implemented across most organisations, but from an IT pro perspective employees using personal devices for work has caused nothing but hassle. Something as simple as an employee losing a personal laptop which happens to have VPN access; or having an employee’s smartphone stolen out of a bag when it is tied into the corporate mail system can lead to vast amounts of corporate data being stolen. This could be catastrophic if data is leaked or worse, compromised. The most efficient way to overcome this is to block unauthorised devices from accessing the network by creating a policy that allows the team to track and monitor devices, switches and ports. To ensure maximum security, develop a ‘whitelist’ of all the devices which are allowed to infiltrate the network and set up notifications if a device attempts to access the network that is not on that list. Then educate employees on the importance of quickly notifying IT when a device is misplaced or stolen so that access can be promptly revoked.
The impact of poor network configuration
The growing workload of the IT pro can be noticed in the rising number of poor networking configuration, often occurring due to it being carried out too quickly by time-stretched IT pros. Insufficient network configuration is problematic as it can lead to employees making unofficial and inaccurate network changes which takes a lot of time for IT pros to change back. However, a way to combat this would be to automate the network configuration process so the procedure could be carried out much more efficiently. Such a tool can be used to perform scheduled network configuration backups, bulk change deployment for thousands of devices all with minimal input from the IT pro, freeing up valuable time. As well as limiting the concern over employees making changes to the network, these tools can also catch configuration errors and automatically notify the administrator of any compliance issues.
Train up the team
It’s easy for IT pros to assume everyone has a good understanding of IT security and the associated technology, but the reality is many don’t - especially in a work environment where it is common for up to three generations who all grew up with different levels of technology exposure to all work together. Therefore, IT pros need to remember that though it might be obvious to check the source of an email before clicking a link and foolish to use ‘password123,’ to others they wouldn’t think twice.
To combat this, the general workforce needs to have a better understanding of the dangers associated with everyday mistakes such as using unsecure cloud storage services, having weak passwords, accessing unsafe websites or copying sensitive data to personal devices.
It seems simple, but the best way to mitigate the risk of human error is to make staff aware of the impact their actions can have and put security at the heart of their responsibilities. For example, it’s human nature to lock the office door if you’re the last one to leave to prevent burglaries. But remembering, or even thinking about, the security risks of accessing sensitive data via public Wi-Fi does not come so naturally. Therefore, employees need to be made aware that by doing so they are making the organisation vulnerable in the same way they would if they didn’t lock up the office.
When the network is compromised by a hacker accessing corporate data through an employee’s device it’s up to the IT pro to find out what has been taken and patch the vulnerability which can take a great deal of time. However, we’d see less errors if employees were aware of the dangers.
A way to start this initiative is to join forces between IT and HR departments to work closely together on an ongoing basis to develop workshops to implement this human-centric approach to data security. Ensuring training is thorough but easy to understand is key to its success. Additional buy-in from senior management is also required to allow employees to take the time out of their days to attend such sessions. Of course it’s still always better to be on the safe side and reduce risk by implementing a combination of employee education and technical controls such as limiting user permission.
Instigating security workshops will help employees learn about security breaches, their potential impact on the business, and understand how they can prevent them in a relevant and engaging way.
Often the excuse for having a weak password is because they won’t remember a difficult one. So inform employees that these complicated passwords don’t need to be 66 uppercase letters interwoven with seven roman numerals and a range of symbols. Instead, set a fun challenge of coming up with four random words and joining them up, and creating an image in your head to remember them all. For example, take these completely unrelated words ‘flag, castle, dog and pizza.’ On the surface these are four completely random words which would be difficult to remember but if you painted a picture in your mind of a dog eating a pizza in a castle with a flag, it will be much easier to remember. And remarkably, such a scheme of for separate words (with spaces) is HARDER to crack than using the usual scheme of one or two words with numeric replacements, such as “d0gp1zz4”.
Ensuring a consistent education policy like this is implemented will help to mitigate the level of damage employees can do as they become more aware of the consequences of their actions, thus freeing up valuable time that IT pros should claim back.
Article by Leon Adato, Head Geek at SolarWinds