Security problems usually begin with the same problems: An employee will take work home on the weekend; someone opens a suspicious email in the office; your CEO will Tweet a controversial comment, or an unsafe app is installed on a work phone.
On any given day a company can be faced with one, or all of these seemingly minor security issues. While these appear to be small, company safety and security issues will eventually add and expose a business to a serious breach of privacy or security problems in the future.
Unfortunately, many companies tend to isolate risk and security management to an often separate group or branch of the overall organisation. Much like when IT is only called when a computer stops working, security staff are only called in when the damage has already been done. This isolation of practices might have been typical in the past 10 to 15 years, but this can no longer be the case in a world that is increasingly interconnected through technology and globalisation.
Security policy should not just be considered in worst case scenarios. It should be integrated with other aspects of running an organisation, from Human Resources to Materials Acquisition. In this manner, a company can ensure to employ well-trained employees who know how to protect company assets, or ensure that IT equipment is maintained to the highest standards of data security.
Too often are security specialists called in after a data breach, when gigabytes of personal information has been stolen from a database, or after a disgruntled employee has left the organisation with a cabinet file full of company information. If the proper security policy is integrated into day to day work procedures, these kinds of things can be prevented or at least, have harm minimised.
A more holistic approach should be considered when running any modern company, no matter how great or small. This would involve simple policy changes such as:
- Regular security audits of IT systems – this should not just include testing your firewalls and checking data integrity of a server, but also ensuring that any third party software is always up to date. IT security should not just be the responsibility of the IT department, regular employees should be given reminders and even training on sensible, safe online behaviour and work processes such as opening suspicious emails or linking personal accounts to work apps on their phones.
- Sensible HR and work conduct training – employees should be aware of the importance of working safely. Again, reminders and training can be provided to assist employees to deal with bringing sensitive paperwork home to work on the weekend (provide secure laptops or encrypted USBs); how to behave sensibly with your colleagues and with third parties (most especially online); and always knowing how to react during a building security drill.
- Integrated OH&S and other building security checks – while ensuring that hallways and walk paths are clear and unobstructed sound like the usual tedious work health and safety check, it can mean saving time during real evacuations or other security events.
Stopping short of creating a big brother state in your company, a good security policy is also sensible security policy. It should be taught to all employees and integrated into their day to day work schedules. An employee should not only feel safe at work but also responsible for the safety and integrity of company assets as well.
Nowadays, the risk of data breaches, or even feeling unsafe at work is quite high. These kinds of things should not be treated as isolated problems that need to be solved after the fact. These are problems that can be easily minimised or avoided when considered as an integral part of running a business. Working with a holistic security policy in place can ensure that your business can get on with getting ahead without running heedlessly into trouble.