Dealing with Network Security Scofflaws - Page 2
Moreover, just because a policy has been put in place, employees won't necessarily abide by it. Patrick Hinojosa, general manager at Panda Software, points to the need for specific language.
"The policy needs to be clear and unambiguous. It can't say just, 'Don't do bad things.' It has to say something like, 'You aren't allowed to use Web-based e-mail ever, under any circumstances," Hinojosa says.
Some recommend getting written signatures to be able to prove -- in court, if necessary -- that employees are aware of the company's security policies. Slavin, though, sees HR-sponsored security training sessions as a better way. "HR can just go to the employee training file for documentation," he observes.
Enforcement is essential, experts agree. As punishment for breaking security policies, employees can be reported to their bosses, banned from the Internet at work, suspended, or in some cases, even terminated from their jobs.
Increasingly, IT departments are starting to team with HR on both security training and policy enforcement. "For enforcement to be effective, though, HR must act right away, the first time someone violates policy. Otherwise, employees will tend to ignore policies. Sanctions should then be applied uniformly, to all perpetrators. It isn't a good idea to just 'put on a head on a pike,' or in other words, to 'make an example' out of someone," says Hinojosa, who was a VP of HR at another company before joining Panda.
Slavin says that one of his customers is already practicing IT/HR teamwork. "Mainly, though, it isn't that prevalent yet," he adds. Meanwhile, administrators at some companies are trying less formal enforcement methods.
In organizations without clear cut security policies, some network managers are reporting troublesome users directly to top management.
"Unless there's already a high level of interest among executives, though, this will only work if you emphasize the potential consequences of user actions. You can't just say, 'I don't like users to download these particular kinds of files.' Then the execs will be thinking, 'Why is he bothering us with this?' You have to tell them, for example, that viruses can cause a loss of critical data."
Generally speaking, many administrators are finding formal policies the best way to go. "I have learned that unless (a policy) is on paper, it doesn't hold up," says one administrator. "Implied security policies don't cut it. What I consider 'wrong' may not be considered 'wrong' by the next guy."
All too often, though, companies don't even implement security policies until an incident actually takes place. Notes Hinojosa: "Then the executives will be saying, 'Oh my God, our accounting reports are gone! How could this have ever happened?'"
Jacqueline Emigh (pronounced "Amy") is a 12-year veteran of computer journalism. She is currently freelancing for several leading technology and business publications. She was previously a senior editor for Sm@rt Partner Magazine, and before that, a bureau chief for Newsbytes News Network.