The Employee’s Role in Cybersecurity: Know, Then Do

JD Supra Perspectives
Contact
LinkedIn
Facebook
X
Send
Embed

Many descriptions of cybersecurity programs and tools conjure images of fortresses and other constructs - “firewalls,” anyone? - that are designed to provide protection against the marauding hordes, silent ninjas, or smooth agents of the community of hackers attempting to gain access to the precious data locked within. As comforting as such images may be, employee access to information and communications can reduce those barricades and battlements to a series of individual entrances to a company’s data. While the familiar axiom of “train your employees” is still relevant -  it is becoming insufficient; beyond simply knowing what to do, more and more employees must affirmatively act to pursue their company’s cybersecurity goals.

What to Know:

To best protect the company’s interests, employees should at a minimum be aware of the various requirements for cybersecurity that impact every employee within an organization, which can be categorized into three primary “buckets” of rules. These will form the framework through which an employee can assess the appropriateness of their actions regarding cybersecurity:

1. The general laws, regulations, and requirements the company is subject to.

Depending upon the company, this can include federal financial and health information privacy laws, state data breach laws, and particular contractual commitments. While not every employee may need to know every individual requirement, some overall knowledge of the breadth of the requirements can provide the appropriate perspective - and caution - beneficial to all employees.

2. Specific policies and procedures adopted by the company with respect to cybersecurity.

The company’s overall cybersecurity policy should set the general direction and overall tone for the company’s priorities and the individual actions of its employees. More targeted departmental policies can bring the company’s goals into focus for the particular responsibilities of employees within those departments. Properly-developed procedures provide employees with guidance to fulfill both company policies and their specific responsibilities towards cybersecurity.

3. Expectations of particular employee responsibility and behavior regarding cybersecurity.

An employee’s starting point to understand what her access to information (and corresponding responsibilities) is often her job description - defining levels of access not only addresses new “need to know” baselines, but may also provide employees with the appropriate perspective on access. This should also be carried through into policies, procedures and practices regarding “ad hoc” access, such as meeting attendance and inclusion on e-mails with sensitive or protected information.

What to Do:

Having provided the employee with cybersecurity expectations from both governing authorities and the company itself, the company’s next responsibility is to motivate the employee to act accordingly. With appropriate mechanisms and incentives, an employee is more likely to put this knowledge to best use within the company and act to support the company’s cybersecurity efforts. As discussed above, knowledge of what to do for cybersecurity is not enough - the employee must understand that she has the power to impact cybersecurity at the company and the right and responsibility to do so. To create that understanding, certain specific ways employees may address cybersecurity within the company should be identified:

1. Particular responsibilities for the employee within the company to raise cybersecurity issues.

Beyond the employee’s individual capabilities in his or her position, an appropriate reporting structure can provide an additional sense of ability and responsibility to the employee. If the employee’s supervisor is perceived by the employee to have appropriate authority, the employee may feel that issues raised to that supervisor will be appropriately addressed.

2. Specific risks for the company in general, and for the employee in particular - and how the employee may mitigate them.

This sort of information should be provided before the employee is given access to the company’s systems. Many of these risks involve e-mail, and risk mitigation efforts are often easy to communicate such as verifying the address of e-mail received and appropriately handling (or forwarding to information security) e-mails from unfamiliar addresses; refraining from opening attachments from or links within unfamiliar e-mails; refraining from communicating protected information, either via e-mail or by phone; and providing both appropriate information security and physical security for remote devices.

It is especially important to include cybersecurity discussions in any group or committee responsible for new product...

3. The role of cybersecurity in the future of the company.

Discussion of cybersecurity issues in officers’ and staff meetings, and in particular specific security measures or efforts, further reinforces the significance of the issues with employees. Including such issues in business-line or issue-specific committees can also help to communicate the impact of cybersecurity in various elements of the company’s business. It is especially important to include cybersecurity discussions in any group or committee responsible for new product.

4. The consequences of his or her action - or inaction.

Ultimately, the strongest motivator for an employee will be the understanding of how her actions, or failures to act, will impact not just the company but her own future within it. At the company-wide level, the employee should understand that cybersecurity efforts are subject to the “trust but verify” standard - while the company may inform its employees as to cybersecurity efforts, and also empower them to take action, it also follows up to verify that appropriate action is taken by its employees. At the employee level, identifying expected fulfilment of that responsibility - through goals established during performance reviews - provides an employee with guidance as to the importance of her particular and individual actions with respect to the cybersecurity.

At the company-wide level, the employee should understand that cybersecurity efforts are subject to the “trust but verify” standard...

Despite the various organizational and technical safeguards that may be put into place, individual employee behavior can work to either undermine those efforts or fill in the gaps that top-down measures can’t always see. Thousands of decisions are made every day to protect a company’s information security structure - or open it to intrusion - every time an employee reviews an e-mail message or uses the internet. Through providing appropriate knowledge - and ways to use that knowledge - companies can take steps to better arm those guards that protect all of the doors into their cybersecurity fortresses.

*

[Tom C. Vincent II is an attorney with the law firm of GableGotwals and a former bank compliance officer. His practice areas include banking and financial services compliance and cybersecurity.]

Written by:

JD Supra Perspectives
JD Supra Perspectives
Contact
more
less

JD Supra Perspectives on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide