Feature: Engage with employees on IT security, businesses urged

Wednesday 27 March 2013

IT security threats emerge from a variety of different sources and origins, most of which - but not necessarily all - are external to the organisation concerned. This means businesses need to ensure they have adequate safeguards in place, in terms of firewalls, anti-virus and anti-malware solutions, in order to mitigate risk where possible.

Internal IT security threats pose a slightly different challenge. This is where the malicious acts of employees or ex-employees - or human error - causes systems to be compromised, potentially causing sensitive information to be exposed. Companies need to put safeguards in place to limit the damage individual workers can cause, and part of this involves engaging with them on security issues.

Clearly if a worker intends to do harm to their organisation - and has the required skill and clearance to do so - businesses are left exposed. But the majority of internal security risks are not malicious; they are caused by error. As such, firms have the opportunity to take a proactive approach to reducing security risks, by engaging with their staff in the first instance and preventing costly mistakes from occurring.

Involving employees at an early stage

Business and IT leaders seeking to shut the door on security breaches should ask themselves if they are doing everything possible to guard their systems and data? Do they have technology solutions in place to defend their systems? And do employees know how to use them, and how their own actions can impact upon levels of IT security?

According to Malcolm Harkins, chief information security officer at Intel, many organisations can still do more to protect their IT infrastructure and confidential data. He claimed that many firms are forgetting a crucial step as they implement security policies - they are failing to properly articulate security goals to their employees.

Speaking to Computerworld, he highlighted the importance of employees adhering to IT security best practice, but also understanding why it exists in the first place.

"Compliance is necessary, but it's not sufficient," he told the news provider, arguing that employees must fully engage with the security plan in order to meet their own personal responsibilities. "If they're committed to doing the right thing and protecting the company, and if they're provided with the right information, then they'll make reasonable risk decisions," Mr Harkins stated.

Taking nothing for granted

But it is important to remember that not all employees are technically-minded, and they will not necessarily have any prior skills or knowledge about security issues. As such, company bosses cannot take anything for granted. They need to ensure rigorous training is available for staff lacking knowledge and understanding in this area, and that all employees participate in reminder/top-up sessions to keep this knowledge in the forefront of their minds.

Undoubtedly, the way employees receive IT security information has a bearing on its practical application. Mr Harkins said it is important for organisations to put IT security threats into context, in order that staff fully understand the processes involved in securing systems and the role they need to play. "You don't want to spin information security compliance as fear," he noted. "Fear is like junk food - it can sustain you for a bit, but in the long run, it's not healthy." He urged companies to articulate security threats in a way that is relevant to the department people are working in, allowing each individual arm of the business to do whatever is necessary to reduce risk.

Weighing up risk and opportunity

There is an obvious need for businesses to mitigate online security threats using technology solutions and best practice operational processes. But at the same time, decision makers need to ensure the measures put in place do not have an overly adverse impact on employee productivity. Simply saying to staff  "do not go online" or "do not use mobile technology" will significantly reduce a company's IT security exposure, but it will also be very much to the detriment of company output and profitability.

Mr Harkins explained that a balance needs to be struck, where systems are secure but employees have the freedom and flexibility they need to add value to their organisation. For instance, they may be allowed to use personal tablets and smartphones on company networks, but only devices that are approved by the IT team. And they may be able to carry data off-site on the same devices, providing it is encrypted and the individual has remote wipe functionality should the handset be lost or stolen.

"The more drag you put on information flow, the slower the business velocity, which also creates strategic risk issues," Mr Harkins noted. This is why Intel adopted the mantra "protect to enable" three years ago, he told Computerworld. Mr Harkins said the priority is not to lock down IT assets, but to ensure employees can do their jobs to the best of their ability with a "reasonable level" of IT security protection in place. He said this requires input from the IT team, a clear understanding of overall business goals and priorities, and clear communication throughout the organisation where security is concerned.

Find out how Microsoft security products can keep your organisation's systems and data safe.

Posted by Alex Boardman