This continues the discussion started in my last entry concerning the importance of personnel training regarding information security. Now, I’d like to focus more narrowly on the types of efforts businesses should consider to minimize the threat posed by their own personnel to information security. Of course, I am assuming the business has implemented appropriate technological measures (e.g., firewalls, anti-spyware software, anti-virus software, intrusion detection systems, etc.). The focus, today, is on what types of non-technological efforts should businesses be making to reduce the personnel-risk. This is an area for creativity and I invite your comments and suggestions about unique or different things that your business is doing in this area.
So what kind of things should businesses be considering when they think about non-technological ways to reduce the personnel-risk? Here are my thoughts:
1. Develop and Implement Appropriate Policies. The business should develop policies specifically describing the rights and obligations of its personnel with regard to technology use and information security. Such policies include Technology Use Policies, Information Security Policies, Information Handling Policies, etc. The important thing to keep in mind and the most frequent fall-down we see from businesses is developing policies that not even a lawyer can understand. Policies must be written clearly and in language the average employee can easily understand. Avoid numerous policies that cross-reference each other. Flipping between various documents to understand a particular point will not be helpful to most employees. Consider adding examples to highlight or clarify important points.
2. Employee Training. As mentioned in my last entry, I believe training is the keystone on which personnel-related security efforts should be based. This means training not only when an employee is initially hired, but also ongoing training. Ongoing training should re-emphasize key areas of the employee’s initial training as well as alerts regarding new threats or risks. Ongoing training can be as simple as sending quarterly “Security Updates” to employees. Each update could focus on particular area of concern. Updates should generally be short, no more than a page or two, and written in very plain English. Technical terms should be avoided. The point is providing the employee with something that can be read and understood in a few minutes. The goal of the update is to convey to the employee the very real threat or risk that is being described. Saying “don’t download illegal music” doesn’t accomplish that goal. Rather, the update should explain the implications of downloading illegal software: clogging network bandwidth, taking up storage space, creating liability for the company, and, most importantly, potentially creating civil and criminal liability for the employee.
3. Exit Interviews. Whenever an employee leaves the company, he or she should be specifically counseled regarding their ongoing obligations to protect the company’s confidential information and systems. This means not sharing or disclosing company confidential information with others, protecting the company’s trade secrets, not attempting to access the company’s systems after termination (and the company should, of course, immediately revoke system access), and keeping the company’s system access procedures confidential.
The foregoing are a start. You likely have other good ideas for addressing the personnel-risk. If you have a moment, please share them with the rest of us.