Not all security threats to your data come from the outside. In fact, you are 2-3 times more likely to suffer an attack from within your company than from an outside hacker specifically targeting your network. Most of these threats will be in the form of viruses, spyware and other malware which are aimed at your employees.
Every day there are tens of thousands of new threats created, and most of them will be delivered to your employees in the form of an innocent looking email, a shared file, or an infected website. A simple click of their mouse will invite it in to your network. So how can we protect ourselves and our data from this onslaught of mischief?
A great first step is by educating your users and having a solid company policy which defines your expectations regarding their use of the Internet, email and other network resources. Here are some things to consider when creating an effective policy:
- It should be in writing – Put it in writing and store it in a place that is easily accessible to all staff. Verbal communication in the form of training is great – but is not enough. The policy should be written, printed out and signed by every employee in the firm. When significant changes are made to the policy, signatures should again be required as indication that all staff are aware of the new language.
- It must apply to everyone – Resist the urge to allow senior level executives exceptions from the policy. This is often difficult because of political pressures, but this should be weighed against the potential for risk. In a legal challenge, the court can rule that if a policy is not followed consistently, it’s as if no policy exists at all. More importantly, these executives typically have greater access to sensitive data which makes them a more desirable target for the would-be hackers. The same applies to IT personnel. While it may be easy for them to circumvent security measures in the policy (i.e. password requirements), their high level of access to company data makes securing their accounts even more important.
- It should be realistic – Policies that are so restrictive as to make them almost impossible to follow will fail in the long run. For example, in today’s world of electronic communication, expecting that staff will never use their email accounts for personal email is largely unrealistic. If staff ignore the policy and send and receive personal mail anyway because there is nothing that actually restricts it, then in effect, your policy is not in force – see #2 above. It may be better to define realistic expectations in order to create a policy that is not only secure, but flexible and enforceable.
- It should be comprehensive – Make sure to include all of the potential uses of your company resources and data. Be sure to include policies regarding the securing of company data, rules for handling email and downloaded files, restrictions on non-authorized access to sensitive files, personal use of social media and email, remote access to the network, and restrictions on the use of company resources for any illegal purposes. This list is not all-inclusive, but will give you a good start.
- It should have clear consequences – Your policy should clearly outline the seriousness of non-compliance – including the penalties associated. If termination of the employee is a consequence of not following specific sections of the policy, this should be clearly stated.
The SANS Institute is one of the most trusted sources for information security training and certification in the world. They offer a variety of resources to help educate the public on information security.
A company security policy is not your only line of defense against all of the threats to your data, but if you don’t instruct your users on the proper use of technology, the best you can hope for is that they “guess right”. Having a well written policy which clearly outlines your expectations, applies to all staff, and has well defined consequences is a great first step in the right direction.