By Rajat Bhargava Posted June 2, 2016
This blog post is part of a series on Security for Startups. The full list of posts is shown below:
- Securing your Applications
- Securing your Cloud Infrastructure
- Securing your Employees
- Securing your Endpoints
- Securing your Office
As security experts know, the most critical component in the security chain is the user. No matter how great the systems in place or the processes, a mistake by an individual can render all of those safeguards useless. Conversely, an educated employee using strong security practices can dramatically increase the level of security in the organization. The way to educate your employees about security is extensive training. And, while you’re educating your employees, make sure that you as an administrator implement a zero trust security approach, because threats happen from both inside and outside the organization.
Start With Education
To get to the right training for employees within your organization, you need to take some time and develop a security program. By documenting what is important to your organization, it is easier to train your team. The security program doesn’t need to be a complex or long document, but should highlight the important points that you need to cover. In fact, a concise program for your employees is likely to work much better than a long list of items that they need to do or be aware of. Another key part of a security training program is to share why the security control is helpful to the organization and the user.
Key Items to Include In Your Security Training Program
Awareness of an employee’s surroundings is critical. While a startup’s office may be small or may be a shared space, knowing who should be in the office is important. If a stranger is in the office, ask them if they are in the office to meet someone. Hackers will often try the old technique of masquerading as an employee or a visitor. Make sure that your WiFi network is separated for your guests and your employees.
Control over devices
A key responsibility for each employee is to keep physical control over their devices. Whether they are personally owned or corporate owned, devices often carry corporate data. That means a stolen device has the potential to compromise corporate data. Of course, the devices should have strong controls and be encrypted. A key point of emphasis in your training should be to always maintain physical control of your laptops and mobile devices.
While you may setup password complexity requirements for your systems and applications, getting your users comfortable with creating strong passwords is critical. Part of your training should be demonstrating to your team how easy it is to build complex passwords and asking them to create them within the training. If they have to practice by writing the passwords down in the beginning, that’s okay, but make sure that once a trainee does choose a password, that they don’t keep it written down.
Separating Business and Personal Accounts
Sometimes, employees mix their business and personal account passwords. If one or more of these personal passwords are compromised, a risk for the business is created. Encourage your employees to create unique passwords for each of their accounts. Use password vaults which can help create complex passwords, and not force the user to remember them.
Multi-factor authentication (MFA)
Where possible your users should be trained on how to use MFA with their systems and applications. Especially when coupled with a smartphone, the process is fairly simple. Training your users on how to set up MFA using standard tools such as Google Authenticator can pay off for the organization and the employee personally.
Your people are a critical part of your security program. In startups everybody is extremely busy, so encouraging your team to work strong security practices into their daily habits can be beneficial for everybody.