Security

Why your company needs clear security policies: A cautionary tale

An IT employee was recently almost fired for storing documents on Dropbox. Here's how the employee and the company could have prevented that situation.

istock-681407458.jpg
Image: iStock/EtiAmmos

Even with BYOD (Bring Your Own Device) policies in place, the lines continue to solidify between business and personal computing in corporate environments. In the wake of what now seems like daily security breaches and malware infestations, companies are seeking to protect themselves in every possible way by limiting or locking down what employees can access on company-owned systems, or personal devices permitted for business purposes. The mantra is now: "Only access what you need to do your job."

It's becoming a matter of survival, but there are casualties along the way, at least in the form of increased suspicion and decreased morale. A friend of mine who works in IT for a financial firm was aghast to be written up recently by his manager. His misstep? Using Dropbox to store his work data and not being aware of the recent security rule that personal cloud storage services were banned.

This issue came to a boil when his security team determined he had saved some spreadsheets containing data about hosts and their current vulnerabilities to Dropbox. He committed no intentional wrongdoing, but that was of little matter. He was asked to delete the spreadsheets, uninstall Dropbox and sign an affidavit attesting he had done both. Corporate America isn't taking any chances.

As you can imagine, my friend related the story while asking about job openings at my workplace. "It was a real eye opener," he told me. "I've worked long nights, early mornings, gone the extra mile; you name it, but still my boss had to go to bat for me or legal would have terminated me over it, which is especially crazy since it would have left no one performing the tasks the company needs, at least for a while. I should have known the policy, I admit, but I figured it was legal mumbo jumbo and just a set of suggestions."

That was his first mistake, before he ever even saved those spreadsheets.

Clear electronic communications policies can prevent situations like this by setting guidelines for employees, but some hyper-vigilant organizations are upping the ante even further depending on their security requirements. This trend will only expand.

SEE: Electronic Communications Policy (Tech Pro Research)
SEE:
BYOD (bring-your-own-device) policy (Tech Pro Research)


The key element is data and how or where it can be moved. In order to protect corporate information, elements such as personal email, cloud storage accounts, social media, and anything which allows transmitting data or storing it elsewhere are being limited and monitored. This may not be the case at your company just yet, but I would bet it will be at some point.

In order to reduce "surprises" such as the one experienced by my friend, I recommend all corporate employees follow this advice:

  • Read and follow all company policies.
  • Assume all access and communications are monitored by the company.
  • Assume all confidential data is tracked and don't misuse it, copy it to unauthorized locations or share it with unauthorized personnel.
  • Don't utilize company-owned messaging systems for personal communications (this should really be a no-brainer; free web-based email services have been around for decades!)
  • Assume recreational internet access is monitored and may be reduced or blocked entirely at some point. This may even include access to online applications you rely on to do your job, like taking notes in Google Keep.
  • Assume personal device usage, if permitted, may be restricted or prohibited in the future.
  • Don't attempt to circumvent security controls, or hack/gain unauthorized access to systems.
  • Don't access anything controversial (whether internal or external) and if you do so by mistake, report it to your manager.
  • Don't participate in non-work related newsgroups/discussion forums or download material that's not related to work.
  • Don't give out or share passwords or the use of company-owned systems.
  • Don't access or share pirated or copyrighted information, or steal company-owned software.
  • Make no expectation of privacy while using company equipment and facilities for any purpose, whether for internal or external access.
  • Assume failure to comply with policies can result in termination or worse - lawsuits.

In short, behave as if your security staff were standing next to you watching you work, because they may well be, at least in a virtual sense.

SEE: Almost half of IT security incidents are caused by company employees, report says

I take a hard line here and advise against using company systems or networks for any personal reasons at all and vice-versa. My work PC is exclusively for work and I even utilize separate browsers; Firefox for my professional operations (including all bookmarks) and Chrome for my personal endeavors. I have nothing on my work PC which is not related to my job, and nothing on my home PC which is. I access no work-related sites from home nor personal-related sites from work. My computers are like ships passing in the night with no connection to one another. My mobile phone contains company email and a VPN client, but no business-related data whatsoever.

In addition to the end-user advice above, here are some recommendations for employers and people in charge of company security:

  • Clearly announce and provide all new or updated policies to employees.
  • Have employees sign off on policies to confirm they have read and will comply with them.
  • Conduct training sessions as needed to educate the user community.
  • Gain feedback on policy clarity and content from users in the form of surveys or quizzes.
  • Consider the use of visual aids such as posters or stickers to help improve policy compliance.
  • Use monitoring to detect inappropriate access or applications.
  • Be prepared to appropriate discipline infractions against the policies.
  • Where possible, establish compromise such as permitting a small measure of recreational web use, personal device usage or an external public guest wireless network for internet access (so long as these entail appropriate usage and don't impact productivity).

This last concept can be a boon for all since it provides risk-free internet access to employees or guests via smartphone, tablet or laptop. An arrangement like this means internal systems are protected and users can get online without eating up a mobile data plan, which is a generous perk. They can still use their lunch hour to see what gourmet meals Uncle Bob has cooked for Aunt Betsy or check out photos from their wayfaring friend Teena's latest trip. Or, on a work-related note, if cloud-based sites they use for work are blocked from company systems, they might be able to access them on personal devices (so long as any applicable policies/the security department permits).

On a darker note (it's important to be realistic), employees should be aware of the ramifications for even accidental security violations. No matter how hard you've worked or how loyal you are to the company, don't expect mercy for putting the organization at risk, even through an ignorant mistake. Your boss may think you're a superstar, but if the security or legal teams decide you've committed an unforgivable error, well, "business is business," shall we say. Act accordingly and know the boundaries. Your career depends on it.

Also see

About Scott Matteson

Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.

Editor's Picks

Free Newsletters, In your Inbox