The number one threat against the security of your information system is the insider threat. Make sure that your employees know how to safely function with computers. Failing to do so is a lack of due diligence on your part.
Among what employees should know as a bare minimum is listed below:
What type of information does your company process?
What are the employees' basic responsibilities for information security?
What are the components of the organization's password policy?
What are the security best practices that employees should follow?
What qualifies as a clean work area that supports security?
What type of threats should employees be on guard against?
What are some common attack methods?
What actions should employees take when an attack occurs?
What are the company email policies?
What are the company's social media and web surfing policies?
Your employees should be aware of how raw data is processed to create information and how it is used by your business to make important decisions and a profit.
Get it wrong and the company loses.
The people who work for you and third parties who come into contact with your system should be viewed as possible threats. That is why an information security plan should be in place and everyone should be aware. Anything less is the equivalent of having your proverbial "pants down around your ankles".
Every employee is responsible for computer security and the assurance of your digital assets. People who obtain and process company data should be aware of all their responsibilities. Those who work for you need to be aware and accountable.
Each individual who works in your organization should be security aware and know what to do in the event of an attempted or actual attack. Anything less and your people will fail.
Everyone should know how to maintain a safe workspace, in which sensitive papers are removed from view. Workers should know how to lock their keyboards to keep passersby from observing screens and accessing terminals.
All people in the company should know how to create and maintain robust passwords or multi-factor authentication. Passwords should be complex and periodically changed. An organization-wide digital security program should be maintained and periodically evaluated.
Policies relating to security should conform to business and industry best practices. They must be part of each employee's security awareness training. For example, the people who work for you should know that storage media from outside of the office must be properly scanned before introducing it into your information system.
Your people should be aware of the common attack methods that cyber criminals and others use. A seemingly innocent request for information over the telephone could be the beginning of a social engineering attack designed to obtain crucial information to break into the company system.
Email needs be a part of the organization's policies for protecting sensitive information. Once again, having policies should be a part of an organization's due diligence effort to keep cyber criminals at bay and out of your system. Your workers must know how to handle various situations that arise. Simply clicking on a malicious link could compromise your entire system.
The use of social media platforms and surfing the Internet could open up multiple avenues for malicious users into your system. You employees need to know what is considered to be an acceptable practice when it comes to using Internet resources. You company could be found liable, for example, if an employee wrote something disparaging about an ethnic group or your assets could even be used for illegal purposes without your knowledge.
Maintaining the confidentiality, integrity and availability of your company mission critical information requires that those who work for your company should have the tools to do so. Having a formal information security plan is a basic necessity. You are in real trouble and have already lost the battle against cybercriminals if you don't have a plan. And if you do have a plan and your employees are unaware – the same holds true.
You must start treating computer security as a business process.