The start of employment is the time to give new hires a run down on security measures for your company. Ideally, a formal training session should occur where protocols are covered for security measures. There should also be an Acceptable Use Policy (AUP) for the employee to review and sign. Policies describe what an employee is an is not allowed to do using company computers.
Some companies might instruct employees to only use the computers for business use. Disallowing thumb drives to access computers or forbidding torrent downloads are other examples. If you want assistance developing these policies, CIPHER can provide security consulting and guidance.
In case there is not an organized session to covers security, make sure you explain these points. The conversation should happen face-to-face. Shooting off an email or burying in a sheets of paper could make them get overlooked. Communicate how important keeping secure is for the company and their position.
Here are 4 things new employees should be aware of:
1. Password Security
Passwords are the key to nearly every service someone uses. When a new hire starts, administrators might scribble a password on a sticky note and hand it to them. This temporary password might be too simple. The password is also known by another person and physically available, which make it insecure. Make sure the new person changes their password.
When creating passwords for new services, make sure it is a secure password and not written down in an unsecure location. They can create strong passwords using generator tools or test the strength of passwords created. Secure password managers are available to manage the passwords securely.
2. Unknown Emails and Phishing
New employees are often added to the recipient list of various email lists. Even the inbox of a new hire is filled with newsletters, solicitations and other messages. Old-timers might ignore the constant barrage of spam and not give a second thought. The newcomer cannot discern what is and is not important and they have a hard time distinguish scams and phishing attacks from valid emails.
Brief your new employees about phishing techniques. Emails designed to get you to reveal information or install malware are a constant threat. Look out for the common signs of phishing emails above. Tell them to be cautious with clicking: if you know the sender, you don't click.
3. Installing New Programs
No employee should have the admin rights to install any program, and this should be always a rule.
The new person might be used to having some programs on their computer at home or in prior workplace. Some might be for entertainment and others for productivity. These seemingly harmless programs might contain spyware or malware. Tell the new hire to run their preferred programs by your IT department before even downloading a file to keep them in the loop.
4. Update and Patch
Patching, updating and correcting vulnerabilities must be an IT responsibility as well.
New employees often get the hand-me-down computers of previous employees. They may have been sitting in a desk or closet for months or year! A lot changes since those systems have last been booted up. Take care to update anti-viruses, operating systems and any other program that has patches available. If there is a notification of an update, tell your new hire to notify IT as soon as possible.
Check To Make Sure...
The ultimate responsibility for keeping the employees safe happens behind the scenes. Audit your new hire's acceptance of these practices by checking logs using your SIEM. If the role is especially important, you can even send a test email or attempt to uncover his actions in a simulated situation. Ensure employees have a designated person they can contact should they be witness to an infraction of AUP or Security Policy.
People want to be compliant but they often don’t know what behavior is non-compliant. Notification of security ensures that those users know what compliant behavior is.