In part 1 of So you have an IT security policy, but have you changed the culture? I discussed how you might think you have documents and strategies in place, but it takes people to implement a security culture, and I also explained how you can get them on board with your security plans. In this part, I talk about how this can be reinforced and policed.
A gentle reminder
Explaining why people should do something is one part of an effective security policy, and reminding people to do it is another. Let’s draw on a little history here: in the second world war, when national security effort was particularly critical, campaigns used posters and slogans, along with a sense of group responsibility, to help hammer the point home.
“Careless talk costs lives” may be a little strong for the corporate security world, but displaying posters around the office with slogans about not sharing passwords, thinking twice before giving out information, and not leaving sensitive documents lying on your desk are good ways to remind people, as well as a system which tells employees when there is a potential breach of policy so they have time to rethink their actions and prevent any data leakage.
It is also worth reminding employees that there are other people in other organizations who are looking after their information; so they should be treating the data they are entrusted with in the same way that they expect other organizations to treat theirs.
None of this will be any use unless you police it. Compliance requires proof, which means checking that someone has done something – and taking action based on the results. Effective policing involves use of both carrot and stick: reward people for doing it right; hold them accountable if they do it wrong.
Policing is a problem for many organizations. Two thirds of them don’t enforce security policies properly. That has to change.
One way to do this is to appoint someone to hold people accountable. A security ‘czar’ in your organization can help to police security compliance by checking on behavior. This can be replicated more locally by making mid-level and team managers responsible, too.
An even smarter move is to ‘gamify’ security, rewarding people who consistently follow effective security measures (like logging out of systems when they leave their desks, for example).
Although policies are about people, technology can also be useful in effective policing. In some cases, organizations may need a technological component to enforce these guidelines. Telling people to use strong passwords and change them every month is something that can be enforced by software, for example. Email and social networking filters can help to prevent inappropriate information leaving the organization.
Successful security compliance is also about learning and understanding, as much as dictating. These audits are not only good reporting tools to help tick regulatory boxes; they are also ways to pinpoint problem areas in the organization. If an audit finds that people are consistently sharing passwords in a particular department, it can create an opportunity for a conversation with staff. Perhaps log-on processes are too long, or don’t reflect working patterns, and the problem can be fixed by reconfiguring the system.
The ideal outcome here is to create a positive feedback loop. A policy is a living, breathing thing, and it should change with the organization. If you audit effectively, you will not only understand how staff are performing, but you will get a sense of what’s working and what isn’t. Staff will tell you how they can perform better, if you’ll hear them. And these suggestions can be used to create a policy that is more suited to your organizational processes. The result? Everyone wins. Your staff are happier, your organization is more secure – and you’ve vaulted the invisible barrier between having a policy for compliance’s sake, and having one that truly protects your organization. That’s effective management at work.
Want to stop the leaks, transform your business and increase your company’s information security? Read this eGuide: Information monitoring, how far should it go?