In preparation for the Central Maine Human Resources Association’s program on what employers need to know about IT, we wanted to get everyone thinking about IT policies that any company might have. Most companies use computer-based equipment for some number of tasks, even if they don’t think of themselves as dependent on tech. For example, many companies have a website and maybe a facebook page as well and anyone not operating on a cash only basis is likely using equipment that processes customers’ credit cards. Whose computer is being used? Who has administrative authorizations to make changes? How does the credit card machine link to the internet and what prevents it from being hacked? Do you even know all the electronic devices and access routes to the internet that your company relies on?
The bottom line is that people often become the weak link in any information security program because:
• They make mistakes. For example, they share passwords, use outdated software, and store sensitive data on unencrypted laptops or other mobile devices that are easily lost or stolen. They may not know just how vulnerable their computer or phone is when using public wi-fi. And so on . . .
• Cybercriminals target individuals. Email-based and other individually directed attacks, like phishing, social engineering, user credential theft, and malicious software (malware) infections continue to be common. Phishing is when emails pretend to be from a reputable company but in fact are not and try to get the recipient’s personal data; social engineering is when an individual is targeted directly with something that gets them to release data; for example, pretending on the phone to be the IRS or getting the person to send a photo that the cybercriminal then threatens to post publically; and user credential theft is when the ability to access a system is compromised because the credentials needed to access it are stolen or too weak. For example, getting access to your bank account requires two types of credentials – your bank card and a password.
• Well-meaning employees circumvent controls. Individuals may misunderstand security risks and mistakenly believe they can improve efficiency by bypassing controls. The same dynamic exists with machine safety procedures – that guard or that hearing protection or that safety check of a lift may take more time and employees are under pressure to get things done quickly.
Policies are a good place to start. But only training, and reminders, and top-of-mind awareness will carry the day. As a result, you need to have an understanding of the following:
• How technically savvy are most of your employees? How much training and support do they need to understand and comply with your IT policies? Can your company afford it? Can your company automate at least some safeguards and processes to minimize user impact? For example, can you encrypt laptops and phones used for work? Can you set up a system that forces employees to change their passwords regularly?
• How much (if any) control do employees need over the desktops, laptops, and mobile devices they use? Can your company limit user actions, such as limiting employees’ ability to install new software, install apps, or access to certain websites or portions of the internet?
• Does the organization support Bring Your Own Device to Work (BYOD)? If so, are resources available to implement mobile device management controls to limit risk? For example, does your company have the ability to wipe a device back to factory settings if an employee loses their device or refuses to have company property removed when they leave employment? Do you have a policy that provides them notice of what will happen?
So how do you start the process of drafting policies? Well, think of them like other policies you should have, such as non-discrimination policies. Begin with the key principles and values that you want the details to then carry out. In an introduction:
1. Establish information security and protection of company information as a core value of your company’s culture. This approach also doubles in helping with protecting trade secrets and other valuable company information because protection is lost when a company makes no effort to protect its assets until they are taken away. For example, if you have a secret recipe but it is in the kitchen in a box where anyone can read it, you won’t have much of a court claim when an employee copies it, and then uses it in a competing restaurant they start up. You can’t ask for more protection from a court than you strive for yourself in your business.
2. Just as you might with a harassment policy, communicate in policies, meetings, performance reviews, and other communications – from the top – certain principles that your company will try to follow, such as:
a. commitment to protecting the security, confidentiality, integrity, and availability of its information assets;
b. the need to balance business efficiency with information security controls;
c. granting systems and data access, including administrative privileges, to only those with a need-to-know;
d. the organization’s trust in its workforce members, combined with its right to monitor its systems (you need to recognize that telling employees that they should not consider their use of the company electronics private and that you may monitor them as a message that suggests you don’t entirely trust them); and
Some tips for keeping the policy relevant and effective include:
• Putting the date of the policy on each version so employees don’t get confused by outdated policies.
• Engaging management to create interest in and support for the policy.
• Reminding employees that:
• information security affects the organization’s credibility;
• a strong program may improve its market and community standing; and
• people are the most crucial part of the information security program.
• Appealing to employees’ own values and sense that protecting company and personal information is the right thing to do.
• Encouraging feedback and questions – on a regular basis.
• Listening to workforce feedback, with a willingness to modify the policy and supporting processes, if appropriate. You will have more employee buy-in if you include employee views and you will also have more boots-on-the ground intel from them. What an IT person may understand may not be what employees understand or what works for employees.
• Partnering with IT to ensure detailed procedures are in place and effective and working with someone who can communicate to non-IT folks.