What’s your organization’s biggest security threat? If you’re working with computers, you probably already have a strategy for safeguarding your data. But outside of cyberspace, do you have a plan for minimizing the human error risk in day-to-day operations? The humans in your company could be leaving your business wide open to costly breaches.
“To err is human” as we all know. People make mistakes. Security mistakes are often a matter of low awareness, lack of guidelines, or failure to follow them. Doors left unlocked, valuables left unguarded, even poor lighting can result in a major security breach.
To minimize human security errors, consider the following four priorities:
#1 PROMOTE A Safe Culture
Maintaining a safe culture requires leadership. Executives and managers must routinely send a clear message that they’re serious about security. Employees need to know you depend on their help. Look for ways to reinforce the message in team meetings, company-wide emails, events, and any opportunities that allow you to demonstrate how your company stays safe.
Truly strong security is rooted in a safe culture. Employees are your eyes and ears — incredibly valuable tools for detecting early signs of emerging security threats. If employees believe security is a shared priority, it will heighten their awareness for anything out of the ordinary and may make them feel more comfortable about speaking up.
#2 PLAN Communication Around Security
Communication is the glue that bonds a safe culture. “If you see something, say something” is a great rule to live by. However, the reality is no one likes to tell on a co-worker so you’ll need to have a way for employees to report security concerns anonymously.
Create team building opportunities where employees have a chance to better understand each other, build trust, and form a bond around the common goal of working in a safe environment.
Work sessions should be focused on identifying security threats and brainstorming solutions. Give people opportunities to speak openly about what’s working and what’s not. A staff that openly shares concerns creates a safety net that catches emerging security threats faster and may prevent them from happening in the first place.
Review your security procedures with your staff at least once a year to see what’s working and what’s not. You may even want to consider security awareness training from an outside consultant who can give you an independent assessment. It’s easy to overlook things when you’re working in the trenches every day, so bringing in outside eyeballs to see where you may be exposed can be eye opening!
#3 PREPARE Policies and Guidelines
Do your employees know what’s expected of them when it comes to security in your company? Policies and guidelines help employees understand expectations and lets them know their safety is a company priority. This is the tangible ‘how to’ part of your security plan that provides instruction and direction.
You’ll want to factor in specifics such as access permissions in sensitive areas and documenting which employees are issued keys. Outlining a process related to doors and other key access points is essential.
Visitor check-in policies are also a good idea, even if it’s a basic sign-in sheet. Sign-in sheets can be an important record of who comes in and out of your building. But keep in mind that they’re only as effective as the humans enforcing their use. There’s no point in having a sign in sheet if people can walk right by it because no one is ever around to stop them.
Schemes like ‘tailgating’ or quickly slipping in behind someone with legitimate access are often used to sneak inside a building. Employees need to know what to do if they see a security breach like that happening.
Closing procedures at the end of the day must also be clear. The last person to leave might leave the door unlocked if they think it’s someone else’s responsibility.
Don’t ignore cubicles and desks either. Workspaces can be a goldmine for a variety of crimes against employees and your company. Encourage a ‘clean desk’ policy to reduce the risk of leaving sensitive documents or equipment unattended. Depending on the nature of your business, you might even specify a plan for turning off computers or shredding documentation that could be damaging in the wrong hands. Consider awards for the ‘best kept desk’ or work area to make things more fun!
#4 PRACTICE and Train…Often!
Just like fire drills, companies need to have regular company-wide security drills. It’s a good idea to schedule a ‘real-life’ security breach scenario at least four times a year so people can get a feel for what to do if something actually happens.
Did you know? Mass shooters rarely challenge locked doors. Creating crisis scenarios requiring everyone to lock doors will help them remember what to do in a real situation, but only with regular practice.
Your operational security plan should be a natural extension of your plans for tornadoes, fires, active shooters, and other possible emergencies. Everyone needs to know the escape routes and have a basic process to follow after they escape or if they can’t escape. There won’t be an answer for every situation but knowing there’s a process can boost employees’ confidence and increase the likelihood of a good outcome.
Technology Should Back People Up, Not Constrain Them.
Technology cannot completely eliminate the risk of human security errors but it can certainly make a big difference. Rallying your staff around your company’s security priorities and then arming them with the right technology tools to protect themselves and their environment is really your best defense.
Technology should always back employees up, not create more work or confusion for them. Investing in a reliable radio system, implementing access controls and taking advantage of network surveillance can streamline the effort and dramatically reduce the risk of security breaches.
Security technology often costs less than you think, especially when you weigh the price against the costs of devastating security breaches, employee injuries and lawsuits. The threats around us every day are very real and technology can go a long way toward defending against a full blown crisis.
No one thinks it will happen to them… until it happens to them. Invest in your people. Invest in their safety. Your company’s survival depends on it.