Every year there are security issues that hurt companies — their brands, their profits, their customers, and even their employee base.
One of the biggest security breaches was Equifax’s cyber security breach. Not only will it be expensive to help consumers who are newly vulnerable to identity theft, but the breach, along with so many before, could erode trust among American consumers. Your organization’s reputation hangs on whether people, including your own employees, trust your products and services. In fact, some companies have spent millions rebranding to undo the damage from issues to their reputations. Once a company’s reputation has suffered, it’s hard to acquire new customers, keep customers, attract new employees or retain your current employees. It may be difficult to gain partners as well.
Security, including cyber security, is challenging
Security is getting harder to get right and more important to get right. Yet, with more technology come more issues.
Many security issues come from unprotected data or fraud in your own company. That’s why your employees are the first line of defense to protect the company. Cyber security also ensures employees don’t make careless mistakes, like clicking Phishing emails, that can create these loopholes.
And it’s not just cyber security – overall security, including facility security – prevents even cyber crimes and helps protect employees and customers. For example, someone can gain access to a part of the building they shouldn’t and steal data.
When thinking about security, your employees should consider the whole picture. Employees should be thinking about passwords to various systems, giving permissions to files and folders (online and physical files), building access, network security, sharing information online, (email, intranet and Internet), protecting people’s names and records, how to store company property, destroying documents, handing secure documents, fraud prevention and avoiding scams. Each of these issues have specific requirements around how to prevent them and how to handle issues if they arise.
There may even be issues specific to your industry, like sharing confidential patients’ information if you’re in healthcare or accidentally asking for a social security number (SSN) over email if you’re from a financial services company.
Here are a few things your employees can do to help ensure your organization is secure and protect its brand.
1. Help employees understand why security is important and what to do about it
Don’t let cyber security become an issue. Instead, take the time to train employees and communicate why security is important and what they need to do to help your organization.
Train all employees about security
When it comes to training, organizations sometimes focus on front-line and IT employees, which is important. But they may miss taking the time to train everyone on why security matters. Let’s face it, everyone at your organization needs to understand security.
When training, ensure employees know the following:
- Why security matters
- What the issues are and how to avoid them
- How to spot problems and what to do about those issues – including protocols and processes
Consider all the different ways employees learn and give classroom training, online training, and using your intranet to keep up with information.
Communicate using all the tactics you have available.
- Use your intranet – such as your security site – to link to training, policies, and procedures. Make it clear from there why security matters. Consider using metrics and information from other locations on how your organization is progressing toward being more secure. Also use your intranet to alert employees when a breach has happened.
- Educate and engage through your intranet news, spotlighting employees changing routines to be more secure. For example, if your organization just bought LastPass to help employees manage passwords, highlight who’s doing it and how it helps. This tactic helps manage change, where using a new system can be cumbersome.
- Send timely emails, without adding noise in the channel.
- Ask executives to reinforce why security is vital and discuss it at all-employee meetings and using their leader blogs.
- Arm leaders and managers with information, especially ways they can help in the effort. Have information ready for them for team meetings and ask them to share ideas on your intranet.
It’s hard to communicate about everything, but security impacts your bottom line and your company’s reputation.
Practice and test
Some companies provide online testing to ensure employees understand the issues as well as what to do. That data can help determine next steps.
Consider also conducting real-life tests to see whether employees have learned to identify security risks and understand what to do about it. Like fire drills, security personnel, trainers and communicators can learn what went well and what they need to reinforce to help employees should a real-life scenario take place.
Reward and recognize
Don’t forget to recognize and reward employees who understand security, identify risks and problems and report those risks and issues correctly. For employees who point out issues or fraud, let them know your organization appreciated their efforts, even if for privacy reasons you can’t congratulate them on your intranet.
2. Identify weaknesses and mitigate risk
Hopefully, your company has security experts that understand all the ways your organization is at risk and is working to actively mitigate those risks regularly. For example, is your organization doing simple things like wearing badges to keep intruders out of secured areas?
Although Communications may eschew involvement, it’s important this team understands what the organization faces – helping to educate employees as well as handling a potential crisis with the public.
On your security intranet site, include tasks and metrics to provide information as well as let employees know how far you’ve come. Again, communicate with employees so they can understand where your organization is vulnerable and what they can personally do about it.
3. As soon as you learn there’s an issue, implement your crisis plans
If your company doesn’t have a crisis plan, it should. The following are ideas that should reinforce what you already have as part of your plan.
One thing to keep in mind, sometimes a breach impacts employees only, stealing their data. It’s important to treat this with the same urgency you would for customers. If employees are impacted, they need the same protections, too. The faster and more thoroughly you deal with these issues, the more apt employees are to continue to stay with your company.
Step 1: Gather teams and address the cause
Before you go external, assuming you can find out what happened speedily, pull your crisis team together. Stop the issue and start working toward a root-cause analysis. Your company should have procedures and protocols to get this information as fast as possible. Get this process started before beginning the next step.
- Get your crisis team pulled together
- Prevent it from continuing, if you can
- Find out what happened
- Identify why it happened
- Begin addressing the issue, including wrapping in training and communication
- Determine whether you need to alert the authorities
Step 2: Communicate to the wider public (and keep communicating)
You may need to contact the police or other organizations (such as the FBI) who may give you limits to what can be discussed during an open investigation. Also, use your crisis team to develop and execute plans. For example, before having PR begin your legal counsel should be reviewing and guiding information you share to understand the risks. Assuming there aren’t boundaries:
Assuming there aren’t boundaries:
- Let employees and customers know what happened, how you’re addressing these problems and how you’re helping them now and into the future
- Provide various services to them
- Check in on them, providing proactive communication that is empathetic
Addressing the issue promptly is paramount to rebuilding trust. When dealing with people, trust is everything. For example, one of the biggest criticisms about Equifax isn’t that they had a breach, it’s that it took a while before they communicated to the public about the breach.
Some of the services that may be needed
Many organizations when they learn about security breaches offer assistance to employees and customers impacted, including:
- Provide identity theft services to watch their accounts for at least a year, free of charge.
- Add Employee Assistance Program (EAP) services, perhaps extending it to customers, to help with the emotional issues associated with data theft.
- Consider asking trusted individuals, customers or employees, for feedback . They may give you insight into what others are thinking – concerns you can address or additional services you can provide.
Security is everyone’s concern. By taking the time to prevent it and deal with it properly, you minimize company risk. It also enables you to, should there become a problem, save major headaches for your company, its employees, its customers, and even yourself.