When a company starts to think about information security and protecting their sensitive data, there is very often a fear that new controls and technologies will have a negative impact on company culture. This can especially be an issue when management and IT do not communicate these steps well. Good communication, on the other hand, can lead to the successful enhancement of internal security.
Every company is different
When it comes to employees and how they work, it varies from one company to another. In small and young teams (mainly startups), we often see a great deal of information sharing and trust in employees. This is especially true in agile software development teams. Such environments foster employee involvement in the everyday issues of a company, even when they are not a part of the relevant team.
This type of workplace supports transparency and allows people with different backgrounds to discuss and comment on current problems, but it is also a nightmare for security staff. One fundamental security principle, the Principle of least privilege, states that users should be able to access only the information or systems which are necessary for his/her work. When following this principle, an attacker only gains access to a minimal set of information in the event of a security breach. A conflict remains, however, with the ideas of transparency and openness that we see in agile and startup teams.
Other types of organizations prefer a stricter approach to the information flow. In most cases, they use policies and directives to dictate the rules for employees. Roles and responsibilities are often clearly defined and senior management are commonly seen as the highest authority. Even though these types of companies don’t provide the degree of freedom found in open environments, it doesn’t mean they are less vulnerable to data security incidents. If only a few employees disagree with senior management, audits or productivity assessments, unrest and disloyalty are inevitable.
Organizational insiders can pose a great threat. The greatest impact an insider can have is by leaving a company and taking its know-how with them to start their own business in the same sector. This not only means that there is new competition in the region, but that the new company is also able to underbid the former employer (because they do not need to invest in research & development), taking its customers away. Sadly, this is very common even for small to middle sized businesses.
Change of mind-set
Company growth and incidents in information security are the main reasons for organizations to start thinking about the value of their know-how and their sensitive data. There are several ways to approach data security:
- Adopt acceptable use and security policies and start with user awareness training
- Perform an information security audit and revise employee compliance policies.
- Restrict the perimeter (possible data loss vectors) and implement a Data Loss Prevention (DLP) solution.
There are always voices against such changes in “open” organizations. The policies can be understood by some employees as a loss of freedom or flexibility. When an information security audit is poorly explained, people can see it as an issue of privacy. Management is often afraid that their friendly working environment could turn into a world of restrictions and sanctions.
So, what is the right way to do it?
The essential part of every newly implemented security control is proper communication within the company. If you choose the right words and explain why the change is being made, the chances for success are greatly improved.
Security policies don’t have to be complicated. Try to write them as simply and clearly as possible. The main reason for implementing any security-related change is to protect the company and therefore also employee jobs. This should be explained to users, too. For many companies adopting new security policies, we have seen that one best practice is to organize security trainings on the policy before officially putting it into place. Inform your employees about the threats to the company and then explain to them how you can protect it together.
A security audit is another good example of a control that needs to be well communicated. For example, when considering the clear desk and clear screen policy, you can make the security audit into a game or competition. When someone finds an unlocked screen he or she can change the background or leave sticky note. You can run a contest to see who has the least and the most sticky notes per month.
You can definitely install software that will help you to monitor data flow and incidents in data security, but you need to set it up transparently. For example, you can run regular temporary audits, or set up an alert system and notify your security department of the most risky data flows – e.g. the uploading of your know-how to some public webmail or file sharing service.
Handling incidents properly can also be tricky. In many cases, disciplinary action or sanctions are not the best way to resolve an issue. In situations where an employer finds out that some employees are looking for new jobs, we find that talking with the employee is a helpful way to discover the real problem and find a way to solve it. In some cases, the employee realizes that he wants to do something else and sees a job change as a way to escape the boredom. Rather than losing an employee, a company can choose to reassign him to a different position. For one of our customers, this led to a positive shift in company culture. The audit pointed out problems in productivity and employee satisfaction. This allowed management think more about how to motivate employees and resulted in more open communication. Teambuilding sessions and regular one-on-one meetings had a great impact on employee satisfaction.
If you do not want to restrict the freedom of employees in the workplace, don’t. You can choose to filter malicious web content, and yet allow users to access social media and games as a way for them to entertain themselves during work breaks. Content filtering can be seen here as protection against malware that can get into the organization by clicking on links in email or compromised legit websites. Device Control is usually used for similar reasons. If an attacker gains access to a computer with the proper policy in place, he will not be able to compromise the entire system. This can happen in conferences or meeting rooms, for example.
In advanced modes, Data Loss Prevention products like Safetica can, for example, restrict the emailing of sensitive data outside the company domain or uploading it to the web. This is not completely necessary for each company. DLPs can be set to a mode that will notify endpoint employees of any suspicious data flow (incompatible with policy). In this way, employee mistakes can be easily prevented. In the case of "...oops, I've sent it to a wrong person!", DLP prevents the security breach and sensitive information does not leave the company.
Written by Matej Zachar, Project & Security Manager @Safetica Technologies
“You can never be too paranoid.” - that’s what Matej believes in. His passion is security, yet he loves hiking. Other than that, this gentleman also plays guitar and cooks fairly well. In Safetica, Matej is responsible for implementation projects and product delivery.