This article was written by Dr Guy Bunker, SVP of Products at web and email security company Clearswift.
The last decade has seen many new changes to the technology landscape, with the likes of Facebook and Twitter exploding onto the social media landscape, but along with new technology comes new security concerns. Our latest research found that 83 percent of organisations had experienced some form of data security incident in the last year. Security incidents can have a number of repercussions and whilst many of us assume that the loss of data is a key concern so too is the potential damage to the organisation’s reputation. With this in mind it is more important than ever that information security is understood, not just in the IT department but across the organisation.
One technology that has particularly noticed by the HR department is the use of personal devices, a trend known as BYOD (Bring your own device). It is an unrelenting force, driven by employees’ desires to use their own familiar (and often better) equipment that will help them do their job better. Our research found that only 31 percent of organisations are accepting or proactively managing BYOD – the rest are resisting and blocking access where possible (52 percent) or denying it altogether (11 percent). So how should the HR department be responding to these cultural changes in the workplace?
The answer is simpler than it might seem, and at its heart is policy. Working with other relevant business departments, HR professionals can help to implement open and transparent policies. Alongside this it is also important for companies to educate and inform employees of this policy, and HR professionals are the key to this being conducted effectively. By doing so this will not only encourage a change in behaviour in the workplace but also provide staff with the knowledge and understanding they need to apply sensible and practical information security good practice in all aspects of their business lives.
What else can be done to build a tangible IT security policy?
1. All information has a value. Never assume that you are not a target, it might not necessarily be your bank details they are after. Consider your sought-after intellectual property, such as product roadmaps, competitive bids and pricing information.
2. Remember the old, as well as the new. No matter how much research and advice you are given on new threats, it doesn’t mean the old ones have gone away
3. Education is key. Remember the importance of educating your whole team, from the top to the bottom. Simple things like plugging in a USB they found in the car park or opening an attachment from someone you don’t know could spell disaster. Frequent reminders of the risks, such as those relating to USB sticks, and consequences can be used to drive cultural change and improve information security.
4. Data Loss Prevention. Solutions are affordable, even for small businesses. It essentially halts the critical information inside your organisation from leaking to the outside world. You wouldn’t leave your front door unlocked if you were going out for the day, so why do the same to your business?
5. Data goes both ways. Many employees now bring their own devices to the workplace, so consider a ‘Bring your own device’ (BYOD) policy. Add to this a security product that acts as a gateway, protecting you from threats inside and outside the business.
6. Look at the policies as they relate to business partners and consultants and ensure that they are followed. Likewise look at any that may be imposed on staff by external organizations.
7. Have a procedure to deal with both security violations and security improvements. The HR department can be a great conduit for employees to come forward anonymously with suggestions for information security improvements.
8. Ensure that new employees understand information security policies, and know where to go (for example the Intranet) or who to go to should there be any queries around them.
9. Put additional policies or processes in place for employees when they leave to ensure that any company data they have remains inside the company. This is particularly true for BYOD devices, where the company data will need to be securely deleted from the device before the employee leaves.
10. These days there are often mergers and acquisitions, and it is often the HR department who needs to work hand-in-hand with IT on both sides of the transaction to ensure that the right personnel have the right access. Extend the process to ensure that information remains secure throughout, and that a cyber-attacker is not successful through the confusion of having lots of new people join at the same time.
Information security cannot be ignored, the consequences to a business should there be an incident are too great, not just in financial terms but also with damage to reputation and even to employees. Don’t forget that whilst there are many new threats there are also many organisations you can turn to for advice — your security provider to start with, but also associations such as the Information Systems Security Association. All of these can provide valuable information when it comes to keeping your organisation secure.