So, you have the best firewall, intrusion-detection and antivirus systems technology has to offer. Yet, despite your Fort Knox approach, you're still hit with security breaches and the occasional malware du jour. One reason for this may be the lack of motivation by your workers. Unlike owners, they don't have a direct interest in the success of the company. Or do they? How far are they willing to go to ensure corporate success?
Usually, not very. In fact, in most cases, they don't put much additional effort into executing their duties -- just enough to get the work done and retain their jobs. According to Ken Shaurette, information security solutions manager at MPC Technology Solutions, however, "a too-often overlooked way to improve these attitudes is to include information security in the job descriptions of employees." When your organization makes security awareness and policy compliance mandatory, the apathetic trend can be reversed.
When management requires security policy compliance to be a key part of an employee's job, interest is generated. An added benefit is that security becomes part of the corporate culture. With performance reviews (hence, possible raises) looming periodically, employees are more apt to fit compliance into their daily routine. Knowing that they're being graded encourages employees to comply with policies.
Shaurette encourages employers to include a wider cross section of employees in the interview portion of security assessment and in compliance reviews. These additional personnel will automatically gain a better awareness of security issues simply as a result of their exposure to security professionals. Not only will they add their input as to what data should be gathered for analysis, but they'll also come away with a better appreciation of the need for assessments. When they're a part of the compliance review, employees "will get a sense of ownership of the final results from the assessment," says Shaurette.
Inclusion alone won't always solve employee-apathy problems, however. Here are some other ways to reduce security risks created by employees who just don't care.
Monitoring. One solution that maybe isn't palatable but certainly is effective is employee usage monitoring. Tracking employee PC use can result in negative repercussions for the company, but it's one sure way to establish control over the network. Monitoring needs to be carried out in such a way that employee dignity is protected -- a daunting task because few tools are available to automate the process. "Doing the monitoring can become a very heavy administrative burden or require many application modifications that are often not even possible because applications are vendor-maintained," says Shaurette.
Restricted access. Limiting or retracting network access can also reduce (if not prevent) the impact of employee apathy, according to Simon Heron, managing director of Network Box. With the IT manager in control, "signatures for antivirus and antispam can be pushed to the gateway and to the desktop from central company servers," says Heron. The manager is in control of downloading the signatures, and the manufacturer can push software updates onto the gateway to ensure that it's up to date. "This means that the apathetic employee can't get in the way of updating their systems; it takes them out of the equation," says Heron.
Unified threat management. Heron points out, however, that limiting access may not prevent infections altogether. Therefore, many organizations are turning to unified threat management systems. Deploying this type of technology restricts employee access to the Internet for browsing and using e-mail and instant messaging applications.
Endpoint security. It's important to realize that careless use of endpoint devices like laptops and handhelds is one of the biggest causes of compromised security. Recent surveys have found that -- because of outright ignorance of or, even worse, apathy toward security -- roughly a third of users don't even bother using password protection on their devices. This, of course, leaves data vulnerable to hackers and other opportunists, especially if the devices are lost or stolen. Moreover, remote users and mobile workers have been known to pick up viruses and worms on the road, then infect the corporate network when they return to the office.
It's imperative that endpoint devices be checked for compliance with your network security policy. Mandate that all endpoint devices have the latest patches and antivirus software. In addition, your policy should restrict the use of file-sharing and peer-to-peer applications and require certain operating system, browser and application security settings.