Step seven: Training, acceptable use policies and legislationby
In the seventh in this series of articles Stewart Twynham of Bawden Quinn looks at training, Acceptable Use policies and the legislation concerning information security.
Already in this series, we've identified the importance of factors other than technology when investigating and managing security - and the people that use your IT systems, the users, are one such critical factor.
According to the DTI Information Security Breaches Survey 2002, 85% of businesses rated their people as very important, yet 73% of organisations do not have any formal training programmes in place.
The results are startling. We've compiled these figures from a range of surveys, all of which reflect fairly typical scenarios that we have witnessed over the years:
- 80% of senior managers admitted to opening email attachments from someone they didn't know
- 79% of employees would forward sensitive information to an ex-colleague, even if they were working for a rival firm;
- 67% of employees would steal confidential information to take with them to their next job;
- 64% of employees gave out their password to a complete stranger at a London railway station;
- 60% of employees will open an email, even when the subject line makes it clear that the content is inappropriate;
- 38% of employees would steal company sales leads before moving to another firm;
- 20% of senior managers use their own name as their network password;
- 6% of employees would delete important files before leaving the company;
- 4% of employees would install a virus before leaving the company.
There are a whole host of potential risks when staff use the computing facilities of a company without the appropriate knowledge, training, or supervision. These include:
- Harassment - which may include sexual, racial, and harassment on the grounds of sexual orientation, religion, disability, race, age, physical characteristics, etc. Harassment is a criminal offence which can result in imprisonment for the harasser, and claims of damages from both harasser and company.
- Defamation - where a person's or company's reputation is adversely affected by publication of a statement (which could be by way of Internet or Email).
- Breach of Copyright - particularly in cases where material is downloaded from the Internet or copied and then re-published on the Internet or forwarded by email.
- Entering into contracts - where an email can form a binding contract, which could result in the company being sued for breach of contract. The exact terms of the contract may be buried in a complex exchange of emails, and the principle of 'ostensible authority', which means that a third party has no obligation to verify the authority of someone entering into that contract, will apply.
- Offensive Material - where a work colleague, supplier, or customer may be offended by images or other content of an offensive nature. There is no legitimate business reason for accessing any material which could be viewed as offensive, and has resulted serious costs for those companies ending up at an industrial tribunal.
- Loss of Confidentiality - where information belonging to an individual or company is forwarded somewhere it shouldn't.
- The spread of viruses, Trojans and other 'malware' ' by email, downloaded from the Internet, from newsgroups, peer to peer networks such as Kazaa, and inadvertently by clicking on a pop-up advertisement or banner.
With all these potential risks, it is understandable that many companies feel the need to monitor and supervise usage and communications to prevent such misuse. Unfortunately, you do not have automatic rights to monitor staff in the normal course of business communication, including by way of telephone and email. I won't dwell on the details of the Regulatory Investigation Powers (RIP) Act 2000 et al, since Lucy McLynn has already written a very comprehensive article E-mail monitoring: legal compliance which covers many of the salient points regarding the legalities of email monitoring, so you would be well advised to read this.
Things you should remember:
- You cannot monitor employee communications / usage without informing them first
- Employees have a right to privacy - unless you make it clear to them that they have no such rights when using your computer system in the workplace
- Even with the law behind you, monitoring and supervision should ideally be kept to a minimum ' e.g. through the use of automatic monitoring software, or by only checking subject lines, not email body.
The Acceptable Use Policy
The Acceptable Use Policy should sit at the heart of every IT security policy. It defines to your users what they can and can't do, what's expected of them, and the kind of trouble they can expect should they fall out of line. The success of an acceptable use policy hinges not so much on the policy itself, or the clever controls and monitoring systems your IT company might want to sell you to enforce it, but on the training you provide your staff.
Overall, it's a three step process: Establish, Educate, Enforce:
- Establish WRITTEN rules regarding the use of your computer systems, covering email, and internet access, and apply them consistently and without favour. Every company is different, but a great 'starter for ten' is available at the Surfcontrol web site. Your employees should, ideally, sign up to this policy.
- EDUCATE your users. It sounds simple, yet few companies bother even though it helps in two very distinct ways. Firstly, many of your employees will respond well to the training, thereby reducing the risk exposure of your business. Secondly, a sound programme of user awareness and training will probably reflect well should you ever end up in court or at a tribunal - after all, you are demonstrating you've made a reasonable attempt to keep yourselves legal.
Training and education should not just be limited to a great long list of things users shouldn't do, but should include general good practice, such as how to react if they suspect they've been hit by a virus, how to deal with spam, good email etiquette, data protection laws, etc. In the words of another AccountingWEB author, too many businesses perform 'induction by osmosis', assuming such vital knowledge will be somehow absorbed through the course of the working day ' don't let yours be one of them!
- Enforce the rules EVERY TIME. It is often tempting to 'overlook' certain cases, but failing to act if and when employees do cross the line is counter productive twice over. Others will tend to further exploit the situation, believing that they can 'get away with it too', and the courts may not look too favourably on such inconsistent behaviour.
In a market which is extremely price-sensitive, is it any wonder that so many people are disappointed with their service providers? We look at the realities and pitfalls of the Internet age, and tell you where best to spend your money.
Further reading: Information security series
- Step 1 - Identify your assets
- Step 2 - Understanding the threats and vulnerabilities
- Step 3: Things that turn threats and potential loss into risk
- Step 4: The firewall
- Step 5: Tackling viruses and spam
- Step 6: Good housekeeping
- Step 7: Training, acceptable use policies and legislation
- Step 8: Domain name purchase and protection