Secure-Behavior-in-the-OfficeNowadays, information security is a very common term used in the business world. Previously, security was simply a matter of installing a firewall to protect a corporate network by adding barriers to prevent intruders from access it.

In the last few years, information has become electronic, or should I say virtual, in its primary form. What used to be on hard copy or paper form is now stored, processed and transferred electronically, which makes securing it much harder.

Technology enables us to protect data. Technology is only as good as the way humans interact with it. This human interaction is difficult for us, as security advisors, since we do not have “control” over it. Thus, awareness programs are of great importance to slowly change employees’ security behaviors.

Multiple behavioral traits must be worked on to develop security awareness. For instance, one of the most forgotten tasks by employees is to lock their workstations when leaving their offices. The display must be locked even if it is only for a bathroom break, but most people omit to do so, despite quarterly reminders from awareness programs. Clicking on the “windows key + L” is all it takes to lock a workstation, yet it is still forgotten.

The previous example is just one aspect of the so called clean desk policy. Management wise, a clean desk policy is easy to accomplish: Nothing left on the desk, computer locked, drawers locked and all confidential information hidden. For employees, who no longer use paper , this policy is pretty easy to follow, but for accounting and human resources employees, it can be a nightmare as their desk are usually piled with confidential data. In such cases, it might be easier to physically restrict access to these workspaces and control physical access as a compensating measure. This brings a very interesting and important point to the table; adaptability.

Human behaviors are hard to change and sustained efforts have to be invested to see results. Security policies have to be adapted to workplace reality. For the awareness program to succeed, it must be communicated to employees via a multitude of stimuli:

  • Emails are most often read in diagonal and, therefore, quickly forgotten.
  • Eye-catching posters are good as long as they don’t become part of the landscape. Changing them periodically will catch employees’ attention.
  • Get management involved so they can spread the word in their weekly meetings.
  • Roam the office to point out good habits and reinforce messages.
  • Designate champions on each floor or department to answer questions.

These are all recommendations which can help and the best ones are often brought up by employees as they feel more inclined to abide to rules which they designed themselves.

Are you sure that your workforce understands the value of your data? People who understand your data’s value and can imagine incident scenarios will be more inclined to protect it properly.

Using the PDCA wheel (Plan, Do, Check, Act) can also help. Plan your awareness program, distribute it, check its effectiveness or employees’ responses to it and act to fine-tune it.

And repeat it over and over again.

By Philip Veilleux, Information Security Advisor