HR Technology: Closing the Security Gap

Closing the Security Gap

Data protection initiatives should include employee training

Some human resource executives believe that the responsibility for information security rests solely on the shoulders of the information technology department. However, they could not be more wrong.

Employees can play a big part in keeping sensitive information inside the organization and out of the wrong hands. But without the proper education and training, a well-meaning worker can negate the success of your security products. This can put your business at risk and damage the company’s relationships with its partners and customers.

HR professionals should work with the information technology (IT) department to identify weaknesses in security policy, help design an effective training program and implement employee programs that safeguard sensitive data.

An Internet firewall is an essential component of enterprise IT security. A set of programs on a company’s network server protects files, proprietary applications, e-mail communications, etc., from the outside world. Hardware and software firewalls are designed to filter and block unwanted packets of data from entering or leaving the network, thereby protecting corporate data from hackers and other malicious Internet threats.

However, Internet firewalls are often circumvented not by experienced hackers, but by careless employees. Individuals who have not been properly taught how to thwart Internet threats can be responsible for serious security breaches. It is therefore essential that organizations build a human firewall.

The HR department should work with the IT department to design and implement a comprehensive training program that will engage employees and empower them to boost data security and, subsequently, company success.

The need for a human firewall is clear. Most large corporations and government agencies detected computer security breaches during the past year that resulted in financial losses. In an effort to better protect themselves from such losses, many companies have implemented robust, integrated security systems. However, many organizations still fail to manage the security threat posed by their own employees.

To create an effective human firewall, consider these three key components:

• End-user awareness.
  
  
• Specialized training.
  
  
• Management awareness.

The first step in creating a strong human firewall is to perform a comprehensive audit of existing practices and awareness. While this survey may vary for each level of employees, the most important information to gather revolves around these questions:

• What is the existing security policy?
  
  
• Can the existing security infrastructure (including employees) detect security breaches?
  
  
• Would the organization know what to do if a security violation was detected?

End-User Awareness

First, evaluate your end-user environment to determine whether any special circumstances, such as a remote workforce or use of wireless devices, will require extra security. Find out how new employees are trained and if they understand how to operate their computer equipment. Determine if there are any existing security policies and, if so, whether employees understand them. In short, get a handle on exactly which end-user systems are in place, who is operating them and how well trained the operators are.

HR should work with the IT department to develop a questionnaire for employees that includes variations on the following three questions. Keep in mind that having a security policy does not mean that employees follow it, understand it or are even aware of it.

• Is there a security policy that is enforced evenly across the organization? This includes those who have special needs, such as remote workers and those with laptops and personal digital assistants (PDAs).
  
  
• Are there practices and technologies in place that can detect a security breach? Determine what security hardware and software users are running and, more important, whether they know how to use that software.
  
  
• Would employees know what to do if a security violation was detected? Ask end-users what they would do if they suspected a security breach or other Internet threat.

With this data in hand, develop a comprehensive awareness program that will focus on any needs uncovered. This program should include development of appropriate policies regarding computer use that can be easily understood and enforced at all levels of the organization. Work with management to determine an appropriate venue from which to convey the policies and administer training to the employees. Make provisions for recurring training of both new and established workers.

This training should not only outline the company’s security policies, but, also, it should educate employees about simple things they can do to protect company data, such as handling e-mail attachments and creating and storing passwords. Workers who telecommute or travel frequently should understand how to secure their laptop or PDA.

Consider covering topics such as phone fraud, web browsing, e-mail spam, instant messaging and anti-virus updates. Each of these activities can expose a company to unnecessary risk if employees are not properly trained. HR should work with the IT department to uncover key challenges in each area, as well as to develop easy-to-understand security procedures for employees.

Remember that successful awareness programs are much like marketing campaigns: little bits of information distributed often. To accomplish this, use multiple methods of communication. In addition to regular formal training sessions, distribute posters, flyers and e-mail reminders to keep the training fresh. This not only helps the employees remember what they’ve heard, but it also demonstrates that the company’s security policies are long-term commitments.

Everyone in the organization should receive the training, not just new employees or other select groups.

As with all business practices, once the training is complete, follow up with surveys to determine the campaign’s effectiveness. Finally, adapt procedures as security practices evolve. When new technology comes online, be there with security policies at the outset to avoid confusion among staff.

Specialized Training

In addition to generic end-user training, develop specialized security training for specific groups in the organization. These groups may include the physical and information security staff, remote workers, or other employees with specific IT responsibilities. The IT department can assist HR in identifying these groups. Again, you can start out with a survey to determine the level of awareness and any existing policies—both formal and informal.

To perform this audit, adapt the three key questions to each specialized group:

• Is there a security policy in place for this group?
  
  
• Are there practices and technologies in place that can detect a security breach in this department?
  
  
• Would employees in this department know what to do if a security violation was detected?

Once specialized groups have been identified and surveyed, implement a training program that meets each group’s needs.

Again, measure the success of the program and follow up with additional training and reminders. Make sure that the IT department updates HR on a regular basis about new technology and security initiatives. As new technology is added, introduce it to employees with security best practices and make sure each member of the group understands how to use it. Ensure that the IT team is keeping current on best practices and product patches or updates and that this information is trickling down, as necessary, to HR and all employees.

Management Awareness

Few security programs are successful without complete management support. Not only are managers end-users (with access to sensitive information), but they are also leaders who can be invaluable to the success of any security initiative.

Hard facts that link information security with the company’s bottom line will help management understand the importance of security policies and effective training programs, so be prepared to present a business case to management for improving the organization’s security. This will help managers become devoted advocates who insist on maintaining and enforcing security policies.

Audit management awareness of security issues by asking these key questions:

• Does management enforce a security policy evenly across the organization?
  
  
• Does management support practices and technologies that can detect a security breach?
  
  
• Would management know what to do if they or their subordinates detected a security violation?

Managers should be given extra training as well as extra responsibility for security. This helps them become advocates of security programs instead of merely end-users. They serve as examples for the rest of the company; if they do not take security practices seriously, no one will. Managers should be required to maintain policies and to provide recurring training within their respective departments. This not only spreads out the workload, but it also creates a pool of devoted managers to ensure the long-term viability of an information security program.

Information security is a rapidly evolving field that must adapt to new threats quickly. While hardware and software firewalls should be maintained frequently, regular attention to the “human firewall” is just as important, if not more so. Recurring evaluation and maintenance of employee awareness, specialized training and management awareness are all required components of a successful security program.

An information security program that properly accounts for the strengths and weaknesses of employees is essential to securing a company’s data. Information security is best achieved when cutting-edge technology is combined with a highly trained and motivated workforce that understands the basic practices that will keep an organization’s data secure. Empowering employees to serve as a human firewall may be the best way to protect internal resources that have a major impact on the success of the company, its partners and its customers.

Kathleen Coe is director, Americas Education Services, for Symantec Corp. of Cupertino, Calif.