How does company data become compromised? Often, these security breaches are due to employees not following best practices to protect confidential or sensitive data. Discover best practices to raise your employees’ awareness of data security risks and help them develop basic security habits .
1. Organize data protection training sessions
To involve your employees in protecting company data, it is necessary to meet with them regularly to explain good security practices.
Organize data security training at least once a year . You can conduct these in collaboration between HR and IT management, for example, or choose to leave them in the hands of external organizations specializing in network and data security.
During these sessions, clearly explain to them which of your company’s data is sensitive or confidential, and what the risks are of not protecting it properly. Emphasize the risks to the company, but also the risks they face individually.
To help you organize these training sessions, you can rely on the Cybermalveillance.gouv.fr awareness kit : its content is under an open license and therefore fully customizable for your company in particular.
Finally, during these training sessions, be sure to include a question and answer period to ensure that your employees have understood.
2. Make the adoption of strong passwords mandatory to protect your data
For each Internet or software user account, you should encourage your employees to choose secure passwords .
Here are some simple rules to help them create secure passwords :
- Choose a strong password that includes letters, numbers, and special characters.
- Do not use easily guessable passwords such as your date of birth or the name of your spouse or pet.
- Create a different password for each platform or software used, whether for personal or professional purposes.
- Use a password manager to group all your different passwords, such as the free tool KeePassXC .
Encourage them to change each of these passwords regularly by circulating an informational notice about it within the company, ideally by adding a rule to your domain controller. Finally, remind them never to share their login credentials with third parties.
3. Raise their awareness of the need to separate personal and professional internet use.
Your company’s data can be jeopardized by internet usage that mixes professional and private life .
Therefore, raise awareness among your employees about the separation of these two uses by explaining to them:
- Do not store professional data on personal storage sites . The reason is simple: they become personally liable for it.
- Do not transfer messages between your professional and personal email accounts , to avoid potentially making sensitive company data accessible to others.
- Do not connect to unknown Wi-Fi networks ; their poor configuration can compromise the confidentiality and integrity of the data exchanged. However, using a public Wi-Fi network is possible if the company equips mobile devices with a VPN (Virtual Private Network) that encrypts data exchanged between devices.
- They need to control their comments on social media when they talk about their work or their life in the company because their posts can get out of hand and be reshared or interpreted beyond what they intended.
4. Protect your data and that of your employees by explaining the best practices to adopt
Data security isn’t just about internet usage. Other best practices also need to be implemented. Here are a few to share during your training sessions and on your data protection awareness materials:
- Turn off your devices (computer, but also tablets or laptops) when you are not using them;
- Lock your session when you are not at your computer;
- Do not install new software without consulting the IT manager;
- Updating equipment and software, especially in cases where the company does not have an IT department ;
- Be vigilant when colleagues receive an email containing a link. Before clicking on it, ask them to position the mouse cursor over the link to display the address it leads to;
- If you have any doubt about the authenticity of an email or a call, do not hesitate to refer it to your line manager;
- Never leave your means of communication (laptop, tablet or mobile phone) unattended;
- Do not disable security software such as antivirus or firewalls;
- Be careful with external storage systems such as USB flash drives or external hard drives, which may contain malware;
- Do not connect unknown USB devices to a company machine , and conversely, do not connect company removable media to unknown equipment.
- When using public transport , do not leave your equipment unattended.
These good practices must become second nature for your employees, who must be extra vigilant whenever they process and/or use your company’s data.
5. Conduct regular internal security tests
To ensure that best practices are followed on a daily basis, conduct regular internal security tests.
How do you perform these tests?- Send fake phishing messages to their work email addresses at random, and track the opens or clicks on these emails.
- Distribute a few USB keys within your company containing a harmless script whose purpose is to notify you that it has been integrated into your company’s system and to alert the employee.
6. Consider using best practice guides to raise awareness about data protection.
You now know some best practices to share with your colleagues. To ensure these practices are regularly reinforced and your data is protected, feel free to circulate the fact sheets summarizing them.
Distribute these information sheets to all new employees upon their arrival at the company.
Display them on your premises , adapting them so they can be understood at a glance, with clearly visible pictograms. You can also show subtitled videos explaining them in your break rooms.
Leave these practical guides available on your professional storage platform so that they are accessible at any time.
To create your own practical guides, take inspiration from those on cybermalveillance.gouv.fr which you will find here .
