We focused on the concept of risk behavior in a business environment. To summarize: it’s behavioral patterns that indirectly threaten data integrity and personal/business security. In some cases, internal threats are malicious. But most of the time, human error and unsafe practices create risk profiles and Shadow IT.
Addressing Risk Behavior
All organizations are different. Their infrastructure and goals vary, so no single solution exists for mitigating risk behavior (or cybersecurity policies for that matter). But that’s okay because plenty of foundational rules can be created and built on to achieve security goals.
We’ll examine several steps to help you achieve improved risk management.
Establish Guidelines and Educate Workers
In many cases, staff are unaware they’re even engaging in risk behavior. The idea of casually sharing passwords or saving important files to external media seems benign in the short term. They’re not thinking about concepts like “Shadow IT,” just their job.
Creating easy guidelines and informing workers about data risk helps start the curve of risk behavior reduction.
Some examples include:
- Improving password and login complexity
- Requiring tools like MFA for all relevant company-facing device
- Discouraging or disallowing the use of external storage media for company files/data
Today, even general cybersecurity education and training are helpful. Workers who know how to recognize phishing emails or malicious links, for instance, will practice safer habits.
Network segmentation is another fundamental way to protect against risk behavior. It’s also a healthy cybersecurity policy. Essentially, network segmentation splits up the business WLAN so only certain users access what they’re authorized for. For example, customer support operates in a network segment and cannot access financial information related to the organization.
Therefore, in the event risk behavior creates a threat scenario, the damage is limited to the segmented part of the business network.
Enforce Device Rules
Some companies use a BYOD (bring your device) policy for work purposes. Others provide devices for remote workers. In those scenarios, it’s important to enforce device rules – policies clarifying what is or is not acceptable when using company hardware.
Visiting dangerous websites or websites unrelated to work, social media, non-work related apps, and software with login credentials are a few examples of what shouldn’t be allowed with a BYOD policy. It’s great to encourage the use of personal devices as comfort can equate to increased productivity. However, if it increases risk, stricter rules must be set.
Remember, the more devices connect to the business network – remotely or otherwise – this creates an attack surface. The saturation of technology with internet capabilities has led to an explosive growth in attack surfaces which you must be ready for.
Create Individual Backup Plans
BDR isn’t just a company-wide philosophy. It can also apply to individual workers too – and it should. Incident response is fundamental for data protection and reducing the dangers associated with tech-facing risk behaviors.
A personal incident response plan can follow the general guidelines of the business but be modified to fit personal preferences. Having an external source of storage media like a flash drive or external SSD is one example of file backup. Staff should also have a list of handy business IT contacts they can address in the event of an emergency scenario. That’s especially helpful in remote work situations when physical support staff is not directly available.
The examples we discussed are a small handful of ways to reduce or address risk behaviors within a business. But all companies are different and technology rapidly shifts with new usage expectations. Creating the foundation for healthy policies and risk behavior reduction will better prepare you for the future.