Get the employee on your side

by Abhinna Shreshtha    May 03, 2010

When we talk of a secure environment let’s take a look at all the stakeholders involved. You have the security companies, who keep an untiring eye on what the bad guys are up to, then there is the organization’s IT team who diligently work to identify and secure endpoints. But there is one party that hardly anyone talks about - the employee.

A security vendor once shared an interesting incident with me - An organization was noticing that their competitor was coming out with almost identical marketing strategies. There was definitely a leak, but they could not figure out where. While analyzing data usage (the company had a data monitoring solution in place) they realized that an employee was mailing the marketing strategies to a friend in the competitor. The employee had no idea that it was leading to such a serious issue.

Unfortunately, such incidents are hardly rare, and what compounds the problem is that in most cases it is not malicious intent but, as in this example, just sheer stupidity or carelessness on the part of an employee.

One might argue that this is exactly why security policies are in place, but won’t it be better if instead of just putting in policies and expecting employees to follow them blindly, they are made aware of the hazards involved with irresponsible use of privileges?

A shortfall with too many IT policies is that they tend to create a dystopian atmosphere. Even if you leave aside the morale issues, a resourceful employee can always find a way to circumvent security defenses. On the other hand, if you explain to your workforce just why they cannot visit Facebook while in office or why they can’t send sales pitches to their Gmail, it could make all the difference.

The prevalent opinion in today’s organization is that security is a technical responsibility, and this is something that needs to change; and fast.

A possible approach that could be first starting a list of do’s and don’ts for the employees followed by regular ’sessions’ where employees are educated on the myriad vulnerabilities and risks out there, while also informing them about the latest happenings in the security world.

Unfortunately, this is easier said than done. Some organizations have started on these lines, but they form a minority and most are not structured properly or conducted seriously enough. ”

It is high time realized that security is more a matter of outlook than a technical problem that can be rectified by a swishing a magic wand. Creating a security-enlightened workforce, if you will, is a difficult proposition but not an impossible one. We go through security checks at airports and hotels without raising a question don’t we? It’s just extending this mindset towards information security.