Protecting Your Business Data While Using SaaS
As businesses quickly move to work in the cloud, new security needs arise. Using software as a service (SaaS) requires enhanced security to protect your business data and emails from malware, misappropriation, and data loss. This requires security software, hardware, and an employee security training program.
When planning this program, you may hear your managed IT technicians or consultants mention NIST needs concerning your business data and SaaS security. That refers to the National Institute of Standards & Technology (NIST) and specifically to guideline 800-171 and its two errata updates related to cybersecurity.
Specifically, NIST 800-171 covers the topic of protecting controlled unclassified information in non-federal information systems and organizations, and that includes your customer’s personal information as well as your business data. Chapter 3, section two (3.2) of NIST 800-171 addresses the need for employee awareness and training, so let’s consider the needs of the training program because security goes beyond the software solutions needed to adequately protect your business data include firewalls, anti-malware, security/anti-virus, and virtual private networks (VPNs).
It would be best if you locked down your servers so that your employees cannot access any information unless they establish a VPN connection first. It would be best if you also had employees in the field use workplace laptops or tablets that already have firewalls installed (or they need to install a firewall on their home computer).
The hardware needed for security includes locks and a security system for your server room, including a camera system to monitor who accesses the servers. You should also purchase new hardware as needed to upgrade your systems for improved security. Set up daily or weekly scans for hard drives to ensure their safety beyond checking for malware. These scans catch file fragments and junk files.
Your human firewall matters, too. The term human firewall refers to your employees. They comprise your first line of defense against malicious bad actors and faulty files, as well as Trojans and malware.
Your security training program teaches your employees how to keep your business information and servers safe. You need a program that each employee can take on their schedule, by themselves, to receive this training. Typically in online training or with one hosted on your Intranet, each employee should receive a certificate to document completion. Annual recertification should also comprise a facet of this training since this provides an opportunity to update the educational modules with the latest security threats.
Suggested Security Training Topics
When your employees understand why specific procedures matter to the business’s computers and data’s safety, they become more apt to follow the procedures. Explaining the proper procedure in a training module and testing the employee’s understanding of it can help keep your business safe. Your training modules should cover the following items.
- Current regulatory requirements for customer personal information (PI) and responsible use. Each employee and independent contractor should understand the legal requirements for protecting PI and their responsibility in this.
- Some activities should be banned, such as using personal social media accounts and gaming on work computers or tablets and using the work Internet connection for these purposes.
- The company’s procedure for reporting a computer virus, suspected security breach, suspicion of key loggers, slow systems, and configuration changes. They should also know the company process for document management.
- Each employee needs to recognize an actual security software alert and those for the browsers used on the company computers. They need to be able to recognize and report a spoofed security message, too.
- The training should teach employees password creation requirements and how to create a strong password. These password rules should be coded into the system so employees cannot ignore the requirements. At a minimum, each password should contain one numeral, one uppercase letter, one lowercase letter, and one special character. Also, require a password update every six months.
- While using SaaS can make it easier to keep your computers safe, employees will still try to install software they like if you allow them — and you should not. Unauthorized software on your business computers creates a security risk. Your independent contractors get to use whatever software they like on their computers, but you can control what goes onto your work systems that they use.
- Teach common-sense Internet and email use, so staff recognizes suspicious emails, URLs, social media accounts, and websites and reports them immediately.
Purchasing high-quality software and hardware only goes so far. You have to train your employees on how to work stealthily and safely so they can help protect your business computers.