How to Make Everyone in Your Organisation an Information Security Officer
Your employees might not know what technological faux pas they have committed to cause a kerfuffle for the IT department. In fact, a recent report in SC Magazine’s Australian edition stated that while the overwhelming majority of organisations have an IT policy governing security, a quarter of employees are unaware of its existence. And 35 per cent of the employees who work in environments with said IT policy claim their IT department provided no rationale or explanation justifying the existence of these security rules.
The good news is most employees are willing to participate in a holistic approach to information security; IT just has to ensure staff know the why, what and how of these guidelines. With the proper education and a reasonable (and understandable) security policy, you can move your organisation beyond a because-I-said-so culture to a secure environment. To make this transformation a reality, consider these guidelines.
- Act as a sales rep for IT security. In this instance, change begins at the top and trickles down. If your managers are wandering around the office connected to the network on personal smartphones — after all, they know what they’re doing, right? —, it’s time to get everyone on the same page. In order to push your security message, you have to demonstrate that the higher-ups can (willingly) abide by protocol.
And as all sales reps will tell you, you have to speak your prospect’s language. As you communicate the importance of cyber security and which aspects fall on your employees, remember to not only break down technical points into something digestible but also emphasize the benefits of the policies. When employees understand the implications of their actions, they’re more likely to follow information security guidelines.
- Security starts on Day One. Transforming your information security policies into something simple and sharing them with employees will make great strides in improving security. But what happens when new employees start? Can you trust security-debriefed employees to share the policies when their chief concern is training new employees for their real jobs?
Work with your HR department to include IT security training in your organisation’s new-hire orientation. You’ll help immediately set the tone for security responsibilities while ensuring all employees are on the same page. Setting up periodic mandatory cyber security meetings through HR will help employees stay abreast of changes. You could also consider sending out a newsletter or posting an intranet article on the latest IT security updates and possible threats of which to remain aware.
- Your IT security policy is a living document. Technology changes. Current information security protocols become unnecessary. New policies require training and updates. In the last few years, many organisations have struggled with the boom of employees using personal laptops and mobile devices for work, particularly for communicating with clients.
Some IT departments are struggling to stop employees from initiating Bring Your Own Device without addressing the key question: Why are employees using personal devices in the first place? What isn’t IT providing to give employees a technological edge? You must weigh security against productivity to find the perfect balance — and that balance will always be changing.
You don't have to stonewall employees clamouring for BYOD — you just need to make them aware of how to act when given this privilege. Requiring mobile infrastructure to remain in a trusted, compliant state and centrally issuing security patches and updates to mobile devices are some of the tips Datacom's Technical Security Services (TSS) unit gives clients looking to institute a BYOD programme.
Once employees know their role in cyber security — and that following procedures won’t hamper their productivity —, everyone in the office can act as an information security officer.