RULES, WHAT RULES? The Importance of Communicating Your Organization’s User Security Expectations
When LMG Security consultants are conducting security controls assessments for our clients, we usually find that management and the security team have rules and expectations in place for employee behavior in order to reduce the risk of security incidents or data loss. These rules are often documented in an Acceptable Use Policy or a Rules of Behavior document.
However, when we talk to end users who do not work in IT or security roles, we often find that they are not always aware of these security rules, or don’t think they apply to their jobs. We also find that employees are required to review these security rules during initial onboarding, but there may be little in the way of ongoing communication or reminders after that. And in some cases, we learn that employees have found their own workarounds if they feel that the company’s security tools and rules are preventing them from getting their jobs done.
A lack of awareness of security rules or non-compliance with acceptable use policies can lead to practices that place company data and systems at risk. Here are some real-life examples that LMG’s consultants have come across:
- Using unauthorized cloud solutions (i.e., Dropbox, Google Docs) to transfer files to external parties. The file-sharing is typically for legitimate work reasons in an environment where the employee is not able to email the files due to data loss prevention implementation or size restrictions on attachments. Sometimes the employee is simply not aware of the risks associated with these cloud solutions or may not know that the company has a secure file sharing solution in place.
- Moving work documents to personal computers at home on a USB or by sending files to the employee’s personal email address. This is usually related to the employee wanting to work on a task at home, but their employer does not offer a remote work solution or the employee is not categorized as needing remote work capability. Ironically, these decisions may have been made based on security concerns!
- Using insecure methods for storing passwords, such as sticky notes, notebooks, word or excel files, email, or on personal smartphones. Often this is due to employees struggling to remember multiple passwords and not knowing their company has approved tools for secure password storage.
- Saving critical files to removable media to ensure they have a “backup” of their work, even if the use of removable media is not authorized. This creates a risk of sensitive data being stored unencrypted, and potentially being taken out of the office.
- Saving files locally on workstations or laptops, again as a “backup”. Many companies have rules on appropriate storage locations to enforce secure storage and make sure files are included in backups. This can create a significant security risk if files are stored locally on unencrypted laptops that can be taken out of the office.
- Connecting personal mobile devices to work computers for battery charging, although personal devices are not to be connected to the company network. Often the employee thinks this is ok as long as they are not using the device or moving files back and forth.
Keep in mind that non-compliant employee behavior in these situations is rarely malicious! We almost always find that it is related to diligent, hard-working employees trying to complete their work.
Here are some key takeaways to ensure your company’s security expectations are well-defined, communicated, and understood:
- Your Acceptable Use Policy needs to be written in clear language intended for your end users. Avoid lawyerly jargon. Consider using examples to illustrate key points related to prohibited or insecure activities and approved secure methods.
- Security awareness training should include a review of your company’s rules and expectations for secure behavior. If your standard training program does not include this, hold a separate session or discuss expectations at staff meetings. Supplement training with regular reminders via email or with a “security second” at meetings.
- Ensure employees have a clear way to escalate work needs that may not fit with the company’s security standards. Examples include a need to share large files with external parties, or secure options for remote work.
- When rolling out new security tools and initiatives, be sure to communicate the plan with end users in advance so they know what to expect. Check in with them to be sure their work processes are not disrupted, or to help find solutions if they have been. If security doesn’t support employee work needs, employees will often find their own solutions and workarounds. And your security team may not like them!
Contact LMG Security to help your company develop an Acceptable Use Policy and train your employees on security threats and best practices for keeping your company safe. We can help with all of your Compliance and Advisory needs.