All too often, businesses try to use information technology (IT) security policy to bend employees' behaviors into easily-manageable uniformity. The thinking goes this way: Eliminate individual-use cases and implement one-size-fits-all best-practices security -- and you'l eliminate vulnerabilities. The fact of the matter is, however, that each employee shows up with his or her own knowledge, preferences and habits. Your security policy should recognize those differences, enabling your staff to work as efficiently as possible, while providing a convenient way to remain secure.
How do you accomplish this? Rather than create a policy to mold all of your employees one way, recognize the outliers, the boundary pushers, the late and early adopters, and build-out an IT security policy that accounts for those differences.
Chances are, if you look around your office, you'll see at least one of each of these boundary pushers. While your security procedures will cover all employees and involve education, training and tools, here are ways you can shape policy to ensure that the following "types" thrive -- and your data and your business remain secure.
1. Mr. Feet on the Ground
Some people cling to old technology. Mr. Feet on The Ground is one of them. He (or she) is holding tight to his Outlook, Microsoft Word and email-attached PowerPoint presentations. Out of all your employees, Mr. Feet is the one most set in his ways, some of which can get you in trouble. This employee still prints out emails and writes down passwords on pieces of paper and sticky notes for all to see. He sends confidential documents as email attachments instead of access-controlled cloud shares. He clicks on links in any email and will enter a username or password without a second thought. He's the official Luddite of the office and the last to comply with security practices.
Mr. Feet, then, is the groundwork to your security policy. Security training and education is essential. So start that training with the basics: secure password protocols, different levels of information security, basic hacking strategies like fraudulent emails and phishing schemes, and management of login information for your various company resources. It's this employee who's most likely to accidentally click on "reply all" while attaching an unencrypted yet confidential internal file; and these are the sorts of basics Mr. Feet needs to be made aware of.
2. Ms. Head in the Cloud
Other employees, on the other hand, have left the executable files far behind and exist with their heads entirely in the cloud. Ms. Head in the Cloud lives in the browser and has an app for every business activity under the sun -- not to mention a password and login for each, even if it is the same one for every app! From the company perspective, Ms. Head poses a different type of threat, as she offers little-to-no visibility into the tools she is using, while creating little app-based islands full of company information.
This is the employee who pushes the boundaries of your IT security policy in terms of access management and creates a need for IT to develop a relationship with each department to help its staffers find convenient, cutting-edge mobile tools. Rather than trying to rein-in Ms. Head, your policy should enable a safe and convenient way for her to use cloud-based tools and remain efficient.
You shouldn't draw up a list of what is and is not allowed, but rather vet the solutions being used and either find a way to make them work securely or provide an equal alternative. Most importantly, IT needs to offer a tool for secure access management to give Ms. Head quick access to her arsenal of cloud-based tools, as well as retain visibility into her practices there. This means that IT should manage the onboarding and offboarding of employees who use cloud-based tools. That way, if they leave the company, they don't take their little islands with them.
3. The Gadget Guy
You've seen this guy around the office: He had a Bluetooth headset before you'd even heard of "Bluetooth," and he always has the latest device. Along with his smartphone, tablet, phablet or wearable, The Gadget Guy brings with him both the good and bad of "bring your own device" (BYOD). The Gadget Guy, unlike Mr. Feet on the Ground, who sticks to his work-provided computer for work-related tasks, is accessing work email, files and networks from a variety of personal devices.
A common knee-jerk reaction here is to ban external devices, but this ignores the increased productivity and efficiency that can come with employees using devices they choose and are most familiar with. Rather, your best response is to put a BYOD policy in place that educates employees on proper security protocols but also dictates required enrollments. Mobile device management (MDM) software, for example, helps secure company data when a device is lost, stolen or improperly transferred.
MDM grants IT important capabilities, such as remotely wiping company-related data, including email, security and encryption settings, and other business-related apps, once that employee or device no longer has leave to enjoy company access. BYOD policy is a section header that needs to be clearly identified in your IT security policy.
4. Ms. Mobility
Ms. Mobility is likely the ghost of the office. She may be the salesperson who's always on the go or the remote employee that checks in from various locales throughout the day. Either way, she gets the major portion of her work done from coffee shops, airports and random hotels. Much like the Gadget Guy, she likely uses a variety of personal devices and, while BYOD continues to be a concern, the primary concern here is the numerous unsecured WiFi networks she's constantly connecting to and the plethora of packet sniffers lurking about.
Not only do we want Ms. Mobility paying attention to basic BYOD practice, but we need her to pay even closer attention to how she connects to the company network and how she accesses basic things like email and company files.
As businesses increasingly move online and into the cloud, so too do their employees -- and they do so from remote locations. Your company needs to provide the proper tools to securely access work-related information remotely. It needs to educate about the dangers of unsecured public WiFi. A virtual private network (VPN) can be the first step to secure remote access to email, file servers and other services.
Employees need to be well versed in email and file-encryption practices and services, and be aware of their surroundings. Not only can confidential information be inadvertently leaked, but device theft can be a big problem for the mobile employee. This, again, goes back to BYOD policies around MDM software, but should also be expanded with policies around keeping devices on their person and using hard-drive encryption and device-lock cables to prevent theft.
5. The Expert in the Ranks
Then there's the IT expert lurking in the rank and file, ever-savvy and more knowledgeable than your average bear, but also a potential risk for believing that he or she knows more (and better) than company policy. In a small business setting, the Expert in the Ranks often is the unofficial IT guy, which can mean this person excludes himself (or herself) from company policies and creates his own in-roads around them. Such an individual sacrifices security in the name of convenience, all while enjoying unlimited access to security controls and information not necessarily needed.
Beyond the rule-bending, the Expert in the Ranks often enjoys unchecked IT power, which can benefit the company by revealing the security holes that The Expert has found. There have to be checks and balances for every person in a company and The Expert is no exception. In response, an access-management system is key, again allowing for careful onboarding and offboarding, and potentially giving more than one person access to administrative accounts so that no one person holds all the keys to the kingdom. While The Expert, in a small business setting, can be a valuable employee, he or she should be given access only where needed, rather than in broad strokes.
In the end, if you account for these basic employee archetypes, you should find yourself with a basic IT security policy that deals with not only your day-in, day-out security issues but also the occasional extremes. It's never about creating a policy around a single employee, but creating a holistic approach that allows all your employees to perform with efficiency and convenience while maintaining secure practices.