One might argue that the most important factor in information security is human compliance. The technology propping up your data will function as programmed. It’s Stacy Susceptible and Gary Gullible that you have to worry about!
First things first… Do you have an information security policy in your company? If not, that should be an immediate priority. There is a digital war happening right now and it’s only a matter of time before you become a target. (Maybe you already are!)
Once you have an established security policy, what should you expect of employees?
- They should have read and understood the security policies.
- They should understand that compliance with security policies is absolutely mandatory.
- They should be able to demonstrate a clear understanding of acceptable use.
- They should be prepared for and expect routine audits of their compliance.
Compliance is extremely important. There is no point of having a policy if it’s not followed.
What are some examples of policy violation?
Password sharing can compromise secure systems. This opens the door for unauthorized people to gain access to sensitive information. At a minimum, proprietary data may be mined from your systems. At a maximum, your entire data silos could be ransacked.
Sometimes employees think it’s a good idea to share work-related ideas on social media. Maybe, but maybe not. Your organization may have guidelines about what sort of information employees may post about the company. What would happen if someone publicly posted details of private data?
Insecure public Wi-Fi connections can turn personal laptops and mobiles into rogue devices used to extract company data. Employees must understand what activities are safe and unsafe when connected to public hotspots.
Do you allow employees to use personal laptops and devices? What is your policy on protecting company data on personal devices? If an employee fails to back up company data kept on a personal device, that may be a violation.
What happens if an employee violates a policy?
First, it’s management’s responsibility to make sure that employees have the proper training and resources to be understand what it means to be compliant. However, once an employee is fully aware of the security policies and has gone through the training procedures, they should expect these responses to security violations:
According to the established disciplinary process, the organization could initiate disciplinary action against the employee.
It would be an employee code of conduct violation for an employee to violate the information security policy.
Suspension or termination are very real outcomes for an employee who violates security policies.
Employees should expect that a security violation would impact pay, rewards, incentives and promotions.
If that’s not enough, there may be very real legal consequences for an employee who breaks compliance.
There have been career-ending cases of noncompliance in recent years.
What should you do next?
Obviously, it’s extremely important to have a security policy in place. Beyond that, you should ensure that all employees fully understand the policy and implications of the policy. Taking it one step further, you and your employees should be prepared to perform regular audits of information security compliance.
If you are new to information security policy management, find a trusted partner who understands the ins and outs of information security. Years down the road, you will thank yourself for keeping your organization safe from these hidden threats.