Fighting Employee Apathy Towards Security

Eric Vanderburg

employee-apathy-data-securityIs it irritating when an employee loses a phone containing sensitive company information? Even more irritating is that the loss of such a device is almost considered by employees as a cost of doing business. Absolute Software conducted a survey on organizational response to lost corporate devices that was participated in by 750 US employees from various industries including banking, energy, healthcare and retail. Their survey showed that 25% of employees said it’s not their problem, 34% were not punished, 21% were given the talk and 30% were asked to replace the device.

If you want to curb this kind of behavior, what should you do? Here are some tips to help you out:

1)  Make employees understand what’s at stake.  One of the biggest problems is that most workers don’t know the dangers of losing a phone or getting their emails hacked. This is why a company-wide awareness program has to be in place regarding security measures. They should be regularly reminded that performing frequent scans on their computer helps protect it from security threats.

In the case of company phones, security procedures should be established in regard to what can be installed and how it can be used. Also, necessary steps should be outlined in case it gets lost or stolen such as reporting the event immediately so that proper action can be taken.

2)  Remind them continuously about the value of data security and inform them of new threats and changes.   Disseminating information just once won’t cut it because most people are prone to forget. Make sure to remind employees of your security protocols frequently. Don’t think about it as a tiring practice, but one that is necessary to ensure that each individual does what is expected of them.

In addition to continuous reminders, it helps to let employees know about new threats and how they can better protect their data. Instruct them on what to do and what not to do. If they need to change their passwords, tell them to do so.  By making them more involved and aware, they might just learn to pay more attention to the dangers of security threats.

3)  Hold employees accountable.  Merely talking to them about the value of data security won’t cut it. There must be something severe at stake to make them obey and respect rules. For example, Paul Luehr, managing director at Stroz Friedberg, a global data risk management company, mentioned that it’s a good policy to make security not just part of an overall HR policy, but a part of their annual performance evaluation as well.

The keys to making employees care about security procedures include instilling in them what is at stake, continuously reminding them about the value of security, informing them of new threats, and holding them accountable.

Request Info

TCDI | Computer Forensics | Cybersecurity | Litigation Technology