When someone is sick, they can’t help but to think about their health. However, life-long preventative health may not become a priority unless someone experiences a serious health issue. The same can be said about information security (InfoSec). Most individuals and corporations may not appreciate its importance until there is some type of security breach. On a personal computer a breach can feel like a personal attack and often affects only one person or family. A breach on a corporate computer system can spread like an unwanted flu virus and affects owners, employees and clients alike.
Why is this? There are different levels of security intolerance. There are those who view InfoSec as nothing more than a nuisance and ask questions like; “Why do I have to take this training every year? Why can’t I install whatever I want on my laptop? Why shouldn’t I store personal information (PII) data locally? Is it really that important to delete records and data based on my company’s data retention policy?” Then there are those who ignore direction from the security office and continually practice unsafe security habits such as; writing down passwords, using the same password for every system login, leaving client information out in the open for all eyes to see, etc. Worst case scenario is the employee who ignores all security practices and is also the most reluctant to follow those practices.
It’s important for an organization to teach security to everyone. An employee needs to understand they are a link in the information security chain, and anyone without proper regard for information security is to be considered a risk. A careless or indifferent security attitude could lead to a mishap which could result in damage to an organization the least of which includes:
So, how can an organization better ensure cooperation and participation by all employees?
A successful InfoSec program is solely dependent on the employee the policy administers to. Employees must see InfoSec as their own personal responsibility. The most successful InfoSec program is administered from the top down. Yet the most challenging aspect of any InfoSec program is getting buy in from the top down. Seems a little contradictory right? Organizations have to teach employees that InfoSec can never be bypassed even when inconvenient.
Negative information security events can and often will impact an organizations bottom line. In many organizations, employees who are directly or indirectly responsible for a data breach through negligence or who knowingly violate the InfoSec Policy are subject to disciplinary action, up to and including termination. A tainted reputation or a breach involving a customer’s data will bring into question the security health of an organization.
Creating healthy living habits and visiting the doctor for the dreaded periodic checkups help people prevent serious illnesses. The same goes for InfoSec; a strong program is the key to a healthy organization. Proper support and instruction for all levels of employees ensures a successful endeavor. Addressing risk and vulnerabilities before they happen creates a strong security environment. Even though prevention isn’t always a 100% guarantee, secure practices will minimize impact on organization and client alike.
Daphne Hoover is an Information Security and Business Continuity Director at Chartwell. She is a 20-year Air Force veteran with a background in Information Security. During her time in the Air Force Daphne worked in several different areas of Security from training other members in Communication Security to inspecting Communication Security programs for National Security Compliance. Daphne can be reached at firstname.lastname@example.org.
Craig Mitchell is Chartwell’s Senior Enterprise Solutions Architect and is responsible for all IT systems and infrastructure at Chartwell. These systems reinforce and provide the foundation for Chartwell’s successful and proven methodology. Before joining Chartwell, Craig was a Director and Senior Architect at First Data Corporation where he authored innovative systems and led agile technical groups in support of Credit and Risk, Sales, Marketing, Retention and Sales Support departments. Craig can be reached at email@example.com.