Phil Vasic, regional director, APAC, at software security firm Clearswift explains why the growing pace of change in Web 2.0 technology and its integration into existing IT infrastructures make the requirement for a clear, effective and workable IT security policy more important than ever before.
When Web 2.0 technology was introduced few could have predicted the full extent of its role in changing the way we work and the resulting impact, not only on the security of employee and employer data, but in influencing IT policy.
Just three years ago only one in ten employers allowed staff to engage in social media activity such as Twitter and Facebook. However recent Clearswift research on IT policies, showed that attitudes have changed dramatically, to a point where today nearly three quarters of businesses in the US either actively encourage, or at the very least accept, the use of social media tools in the workplace. While countries like the UK and Germany are not far behind.
The driving force behind this change is the realisation that social media can be used as a business tool that, when used appropriately, can benefit an organisation, and can also contribute to positive staff morale and staff retention. With regard to the latter, our research showed that one in five employees would not accept a job offer if the employer did not allow them to engage in any social media activity during the working day.
So accepting that little more than half a decade since the Web 2.0 phrase was first coined, our working structure has changed to the point business and personal usage can be interchangeable, has IT security and company policies in general evolved to reflect this change?
It is clear that, as technology for sharing information becomes more sophisticated and embedded in our lives, it becomes more important for those with access to data in the workplace to understand what is permitted by the business, and which activities may be putting data security at risk. This is particularly pertinent since, as we have already discussed, employees no longer furtively checking their personal emails, but openly access and engage with sites like Facebook , or tweet during the course of the working day. This has led to a blurring of lines in the responsibility for company information, opinion, and data going in and out of a business.
In addition, there is the issue of a business’s reputation and of ensuring that there are clear guidelines on what may or may not be appropriate to say on a social media site in order to properly safeguard brand reputation. This is particularly important where social and business networking are interchangeable.
But the safeguards are not limited to a static policy document. While the increased acceptance that Web 2.0 and other collaborative technologies has highlighted the need to look more closely at IT policies, regular communication and training to keep staff updated on the ever changing social media landscape are pre-requisites for a truly effective security program.
The best starting point for understanding the effectiveness of existing security programs would seem to be asking the staff themselves and it was therefore office workers to whom we spoke as part of a recent Security Awareness Report published by Clearswift. The study explored the extent to which office workers understand the data security implications of their day-to-day activities and highlights several interesting data security phenomena amongst office workers.
Significantly, the Report highlights that there is a trend for over-confidence in the knowledge staff need to keep information safe. This appears to be the main data protection hazard in today’s office environment. It leads to a casual attitude towards IT and a ‘freestyle’ behaviour where data is blindly moved from place to place without consideration of the potential security risks. Alarmingly, 44% of office workers report storing data at work on personal memory devices, 39% download software to their computer at work and 23% use personal accounts on social networks to comment about their job.
15% of office workers in the survey were concerned that they may be inadvertently breaching security policy, with more than three in five office workers attributing security breaches to ignorance or lack of understanding by employees.
The trend toward ‘freestyling’ is compounded by the fact that there is a perceived lack of consistent communication about security policy, and consequently many office workers do not understand their obligations fully. Despite the fact that the majority of office workers taking part in the research consider themselves to be risk averse, both individually and collectively they are inadvertently leaving their employers exposed to data security risks.
This is demonstrated in part by recent cases in the UK when the Information Commissions Officer (ICO) issued the first fines under its new powers to regulate the Data Protection Act. One Local Government Authority was fined £100,000 ($157,000) when an employee sent sensitive and confidential data to the wrong recipient.
A business’s employees are the held in trust when dealing with sensitive information and sharing of data. Therefore an informal policy, or word of mouth update, is clearly inadequate. There is no room for complacency in this rapidly changing environment. IT security policy should be conveyed through an ongoing and effective training program that is regularly reviewed, and that is reinforced by clear communications to ensure staff are aware of any updates and regularly reminded of the policy.
It is important to give managers and staff clarity over what is and what is not acceptable, the policy should be jointly presented by the IT department and HR department, with additional involvement from the PR/Marketing team. So while the policy should include points such as where and when personal time can be taken on computers, it should also encompass why industry regulations, rival companies, etc should not be criticised on social media blogs and networks, and why it is not appropriate to air internal disputes online. It is important to spell out the potential consequences to a personal, professional or brand reputation so the employee has a very clear understanding of these consequences.
Gaining buy-in is fundamental to the success of any company policy. The starting point of the social media element is a general acceptance that staff should be able to access these tools during their working day, (our research showed that 60% of managers trust employees to act responsibility). In addition the policy should emphasise that the intention is to ensure the safety of the company’s employees and the company’s reputation.
The objective is not to block employees use of social media so the policy needs to be flexible but clearly defined and, as mentioned earlier, clearly communicated with specialist training provided. Above all, if the policy is to be effective, it needs to be enforced and, in the case of an intentional digression, disciplinary action implemented.
This lack of awareness and understanding is backed up by our research that indicated there is confusion about what it is okay to do or say on work related social media sites – nearly two thirds say that they aren’t clear about what is acceptable.
The message is a consistent call for clarity and solid communication. There is a need for formalised IT security policies that work in conjunction with overall company policies, especially HR and Marketing to ensure overall consistency of corporate message.
Putting in place an IT security policy that is clear and flexible, and which is implemented across the organisation is key to security coming out of the shadows and providing the reassurance that the businesses and their employees need to move forward with confidence.