Often onboarding new hires includes a lot of administrative tasks often fulfilled by HR but there are quite a few important onboarding procedures that relate to security. There's plenty of reasons why security awareness training should be part of every single onboarding process.
Employees are Happy
If employees are known to be potentially the weakest security link, then the new hires are even a greater threat. They are unfamiliar with your security policies and have not been taught by your company the importance of practicing secure behaviors and what that looks like. Consider all of the fresh college graduates that enter the workforce every year. Millennials are known for their technology skills but not necessarily for their security awareness knowledge. However, if you use this time of increased motivation and engagement to start educating your new employees about security awareness, then you have the chance to start them in the right mindset. Furthermore, empowering your employees through training leads to employee happiness. It makes sense that employees who clearly understand their expectations will be more content than those who are unsure.
Use Our Free Tool
TechGuard recommends using a Security Onboarding Checklist as part of your security plan. Implementing the policy of least privilege access for controls is a great place to start before the new hire ever steps foot in the door but know that the work does not end here. Think about it, the marketing department and the accounting department do not need the same level of access to every application. Use our tool to help add a layer of security to your onboarding process for new hires.
You do not know what kind of cybersecurity practices your new employee will be bringing with them and you should not assume they have any security awareness knowledge before stepping in the door. For instance, have you considered how many employees have not changed their social network passwords in over a year? Moreover, if your new hire will have access to extensive corporate data you may want to consider employee monitoring software. Of course you will need to inform your employee that his/her online activity is being watched and why it's vital that your team is monitoring such activities.
Do They Know Who to Go To?
Onboarding should include educating new employees on how to comply with "if you see something, say something" by confirming that he/she knows who to report a security incident to within your organization, like the Facility Security Officer (FSO). Also, be very clear about what is and what is not allowed when it comes to using various devices to access corporate data. If you allow remote work and/or Bring Your Own Device (BYOD), a robust policy should clearly outline the expectations around security. These policies should include Wi-Fi safety as well. All new hires should sign off on the security policies at orientation.
Have Clear Expectations
If everyone receives a guide when they join your company that clearly explains their security expectations they will be able to refer back to it to reinforce their security behaviors. Do not forget to include an clean desk policy. Employees should never walk away from sensitive documents or corporate data even if for only a moment. In addition, they should understand that Shadow IT can pose a risk and clearly know which apps are permissible to use.
Patch Your Software and Your People
Just like we need to set an expectation that they are updating various applications in a timely manner as needed to reduce vulnerabilities, they need to expect to be trained on cybersecurity on a continual basis. If the expectations are from day one that there will be regular training sessions, they will be less likely to show resistance. Confirm that your security awareness training solution covers a variety of topics including social engineering and that it is simple and easy to understand. After all, what good are firewalls if your employees are letting the bad guys through the front door? In addition to training, do not forget to provide practice drills on their knowledge. In other words, phish your employees. Gauge how many would fall for a phishing email. This will help determine if they are able to put their knowledge to use in real-life scenarios. This part is so important because even if most of your employees pass the test, it only takes one weak link for an attacker to find a way in.
Passwords Don't Belong on Post-Its
Passwords and the use of multi-factor authentication are so critical to securing applications. Enforce a detailed policy covering the guidelines for creating passwords as well as including details such as how to store them, restricting sharing of them, etc. Go beyond just password guidelines. Require them to use advanced security questions for password resets. For example, if the security question is, "What's your favorite food?" and the attacker guesses "pizza", they have fair odds of answering correctly.
We are a Team
You'll want to make sure that everyone realizes their role in security for your corporation and that one poor decision can have a company-wide impact. Remember that employees learn from the behaviors of their peers and their behaviors can be shaped by what they are taking in. If everyone follows the security policies then others are more likely to follow suit.
Written by Michelle Stamps
Michelle has over 10 years of experience in marketing and business development across various industries including government and non-profit. Her background in writing, facilitating presentations and event planning allows her to use her creative skill-set and her relationship building skills strengthens her ability to understand the human element role in cybersecurity and to support positive behavior change. Whether she is out in the community, blogging or developing the next social post for TechGuard, she believes in telling the company’s story and uses relatable, real-life examples to connect with our clients. If you know Michelle outside of work, you would know that she loves sunny days and tropical places.