Dan Raywood looks at the thorny problem of IT policies and employees taking them seriously
IT policy has become a more important part of business when it comes to information security as it can act as the first and possibly only way for businesses to keep any control of data without locking users down.
So is it time to consider presenting IT policy in a different format than a 17-page paper document and find some way of controlling, monitoring or enforcing it? After all if an employee, among the weight of HR paperwork that they need to complete on the first day of a new job, signs the IT policy on acceptable behaviour subsequently copies data to a removable device that is lost, could they argue that as they were not reminded of the policy that they are not liable?
Earlier this year I asked some people if policy was doing enough to protect IT departments and educate employees in their correct responsibilities at work. Speaking to Check Point founder and CEO Gil Shwed earlier this year, he said that the concept of the IT policy should be better enforced - at the moment he said it was simply a throwaway process.
He said: “You sign a document and read the procedures, everybody looks at the pile of paper yet nobody reads it, nobody understands it and we all sign it and people say 'ok we are compliant'.
“Users need to be part of it and needs to be easy and simple. If a user makes a mistake, explain to them, show them the relevant policy and ask them if they still want to do that, if they take ownership they will learn and do it better.”
I asked Shwed what his company's solution had been. He said that when a new user joins Check Point they read the policy which takes about half an hour, they then have to go through 20 questions about it in order to get access to the network.
Research from Guidance Software this year found that 64 per cent of employees had not received any training or material educating them on IT security issues, such as how to avoid downloading malware or how to prevent the loss of sensitive data.
The survey found that while 16 per cent believe that it is the sole responsibility of the IT department to enforce policies to protect sensitive data, 61 per cent believe that all employees are responsible for playing a part in the protection of company data.
Frank Coggrave, general manager EMEA at Guidance Software, said: “IT leaders need to recognise that employees can become a security risk or an important ally in protecting against loss or theft of data or malware, which can have huge financial consequences.
“While it is encouraging that most employees recognise that they have a part to play in data protection, almost one in four (23 per cent) clearly does not even see that security is an issue. Organisations must provide security education and guidance to employees so that employees have clarity around the very important role they have in protecting sensitive data.”
Elsewhere it was suggested to me that if a policy document was shortened to four pages with a test at the end, it would encourage the reader to at least read some of it in depth.
Asked what a realistic solution could be, Christopher Miller, CEO at Password Gear, said: “The first thing is to design a document that is shorter, clearer and more practical, instead of chucking in everything and using it to blame the employee when something goes wrong. Secondly, just like hackers are migrating from being backroom techies to being masters of the art of social manipulation, IT staff need to become more skilful at encouraging compliance.
“Thirdly, you need buy-in and enforcement at the top level, because if directors are blatantly disregarding it, everyone else is too and there is little legal comeback on anyone. I would suggest an annual review of policy at the minimum and summarise the changes, as well as issuing a new document.”
Craig Coward, director at Context Public Relations, said that another problem with IT policy is the capability to cover personal devices too, particularly when access to certain sites is banned or locked out from their desktop PC.
He said: “If you're looking to control data losses and leaks by email or online vectors, then you do need some sort of monitoring tool. Instead of taking a 'thou shalt not' approach, that tool could incorporate a pop-up dialogue for users, for example ‘you're intending to visit LinkedIn during working hours, this is a site that we monitor usage of, is your visit for business or personal reasons?'
“Holding a mirror up to the user's actions and logging those actions can subtly reinforce policies without heavy-handed bans on access to sites.”
As Coward suggests, creating a side-policy of user awareness could be a simple solution, if the employee understands what they are doing and what the consequences could be, there may be a better understanding all around.
Earlier this year Barclays introduced the Consequences book, a collection of short stories with a message in each in regard to information security and risk. The company told me that it contained messages that it needed employees to read ‘that are vital to the success of the bank'.
Stephen Bonner, former head of information risk management at Barclays whose team spearheaded the book, said: “Our belief is that employees want to do the right thing but if we spark their imagination they will find innovative and safe ways to solve the problem.
“Once they understand the consequences they make the right decision, [we] do not treat employees like kids but you have to capture their imagination and understand that the way information is concentrated has changed the way it works.”
It could be said that the IT policy is not something that has kept up to date with technological advancements, but then again how much input do IT really have into it? Often policy is created by HR in order to remain compliant but left to IT to monitor and manage, therefore leaving the IT department as the responsible party.
Either way, this quiet summer period might be a good time to consider how practical and workable your existing policy really is.