Someone Left The Keys In Your Compliance System
Information security is at the mercy of your entire staff's habits
Do your employees leave their car keys in the ignition with the door unlocked? What about leaving their wallets unintended in the cafeteria? Or do they post all of their passwords as Facebook status updates?
Those may seem like outrageous things your staff would never do. Then why is it when we all get to work, it is common to find the organization's important information assets have been left "running with doors unlocked and the keys in the ignition?"
More Security Insights
- 10 Steps to Cleaning up Active Directory
- The Active Directory Management and Security You've Always Dreamed of
- Innovations in Integration: Achieving Holistic Rapid Detection and Response
- COBOL in the Big Data Era: A Guide
Whether at your business or someone else's, you've all seen the passwords scribbled on Post-It Notes and scraps of paper. Plenty of offices share a common administrative login, and one key on a hook unlocks everything in the office. It makes daily tasks easier to leave things open.
Add to this the social resistance to any increase in security. "You don't trust me! I thought the boss said we were all in this together," is an attitude that will manifest itself as either a loud, vocal protest or a silent, seething resentment.
So if everyone is so trusting of their colleagues, why don't they all leave their keys in their cars and their cash on their desks? I'll tell you why: Their cars and their cash are their personal property; the organization's information and reputation isn't.
Those among your staff trust each other with business assets because it's less effort than treating private information as if it were important personal valuables. "Yes, I know I should be better about security, but I've got all this work to do, and all that security just slows us all down.” In places where security really is overdone (which is a topic for another day), that can be a reasonable point. However, the problem is this excuse is used for almost anything perceived to add even a few seconds to the day's tasks. And, honestly, too many employees don't believe information security is an important part of their routine responsibility.
We may like and trust our colleagues, but even if you have a great team, things change, and people change, too. Desperate times, hidden anger, and other pressures can change someone and urge them to behave in ways that would surprise not only their co-workers, but also themselves. And it only takes one person in a time of weakness or revenge to steal a car or dump private patient data on the Web.
Locking the car and keeping an eye on personal cash does take an extra step. But as it becomes part of our routines, we stop thinking about them much. In the same way, a few extra steps to secure the organization's valuable information become habitual, almost second nature, after they've been repeated several times.
Make it clear to your staff that, like the locks on the car, information security is about keeping the dishonest and unpredictable people out, and the entire company has a part in it. Compliance standards protect a company's staff as much as they protect their companies and their clients; compliance protects their jobs. Once your staff understands this, they are in a mindset to better remember to add a couple of routine, but crucial, tasks to their days -- alongside locking the doors and keeping up with the keys.
Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within. He is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.