A sign is posted in front of Meta headquarters on February 02, 2022, in Menlo Park, Calif. Today’s columnist, Rajesh Ganesan of ManageEngine, offers seven tips for getting employees to take ownership of security, one of which is to stop using social media share buttons, as attackers can use them to capture user data. (Photo by Justin Sullivan/Getty Images)

Since the start of the pandemic, nearly all forms of cyber fraud have been increasing. With employees increasingly working remotely and using non-sanctioned devices, it’s more important than ever to ensure that employees are cognizant of privacy and security issues.

Organizations can start by embracing zero-trust principles. They need to follow the principle of least privilege, meaning that users should only have access to the resources required to complete a given task. Moreover, until proven otherwise, IT personnel should assume that every access request has been compromised, and they should authenticate every user's location, identity, location, and device health during every access request. Here are seven ways to get employees to take ownership of security:

  • Embrace a zero-trust mindset across the organization.

All employees should have a zero-trust mindset for these concepts to work. Treat all strange phone calls and emails as potential social engineering efforts. Report shadow IT: devices, software, applications, and services not sanctioned by IT personnel, and flag any anomalous user behavior.

  • Use real-world incidents in quizzes.

Most companies conduct mandatory privacy education courses and quizzes, but it’s only the bare minimum. Have the quizzes include questions related to security events that have occurred both inside and outside the company. This helps employees understand that their decisions and actions can have serious, real-world implications.

  • Issue team-based privacy scores.

This has become an effective tool. After every employee's quiz score has been recorded, teams are given a collective data privacy score, which gets posted on an internal forum. As a caveat, award these data privacy scores at the team level, as this ensures that individual employees aren't singled out. It’s important to have courses and quiz questions related to GDPR or CPRA. However, employees should focus more on underlying principles and less on nuances within particular laws.

  • Focus on principles, rather than laws.

New laws are always being passed, and existing laws are subject to change. While privacy laws are important, it's more important for the staff to understand the principles behind these laws. As an example, teach employees about the principle of data minimization, that one should only collect customer data that’s necessary, and the company should keep that data only for the minimum amount of time needed. Employees should also understand privacy by design, whereby designers and developers think proactively about the privacy and security repercussions that their products can facilitate in the future.

  • Embed contextual hooks in software tools.

To remind employees about important security and privacy issues in real time, embed contextual hooks in the applications they use. For example, if an employee attempts to post another employee's name, email, or phone number in a communications application, set up a chatbot pop up with a message stating: Be wary of sharing your colleagues' personal information. This type of contextual learning occurs organically, in a real work environment, which helps to facilitate a robust security mindset over the long-term.

  • Whenever possible, avoid third parties.

Ideally, it's best to maintain a business model where user information does not get shared for any reason. However, not everyone's business model allows for this. At the very least, organizations should avoid using unnecessary third-party tools.

Unfortunately, many third-party tools use trackers to engage in adjunct surveillance. To defend against this, remove all third-party trackers from the corporate websites. Also, whenever possible, stop using social media share buttons, as attackers can use these to surreptitiously capture user data.

  • Present security and privacy awareness as an ongoing process.

Frequently update corporate quizzes, team-level data privacy scores, and contextual hooks within applications. Employees need to understand that there’s no end goal with security, it’s a constant journey and they will need to learn more and adjust as the threats develop.

If all team members in an organization adhere to these seven suggestions, privacy and security concerns will eventually become second nature.

Rajesh Ganesan, vice president of products, ManageEngine