5 Do – Publish policies and educate employees.

Data security is not just the responsibility of the IT group — it also depends on the day-to-day behavior of all employees. But employees need help to become security-aware.

To encourage positive behavior by employees, IT departments need to publish policies that clarify expectations and the reasons behind them, and provide training on the policies and the consequences of non-compliance.

Policies and education should cover:

• Security do’s and don’ts, such as: using strong passwords for applications with confidential information, not opening email attachments from unknown senders, not downloading and installing apps that are not approved by the company or IT staff, not clicking on links to unknown websites, reporting suspicious events, not leaving business information on social media websites and locking computers before walking away from them.

• Backup procedures for both employees and IT administrators, including what files and directories to back up, how often, the backup strategy (full, differential or incremental), when to encrypt, how to verify tests and backups, and how to report backup failures.

• Prohibitions or restrictions on rogue cloud implementations (contracting for cloud-based

applications and services without the knowledge or supervision of the IT group).