When Users Jeopardize Network Security: Page 2
"The policy needs to be clear and unambiguous. It can't say just, 'Don't do bad things.' It has to say something like, 'You aren't allowed to use Web-based e-mail ever, under any circumstances," Hinojosa says.
Some recommend getting written signatures to be able to prove -- in court, if necessary -- that employees are aware of the company's security policies. Slavin, though, sees HR-sponsored security training sessions as a better way. "HR can just go to the employee training file for documentation," he observes.
Enforcement is essential, experts agree. As punishment for breaking security policies, employees can be reported to their bosses, banned from the Internet at work, suspended, or in some cases, even terminated from their jobs.
Slavin says that one of his customers is already practicing IT/HR teamwork. "Mainly, though, it isn't that prevalent yet," he adds. Meanwhile, administrators at some companies are trying less formal enforcement methods.
In organizations without clear cut security policies, some network managers are reporting troublesome users directly to top management.
"Unless there's already a high level of interest among executives, though, this will only work if you emphasize the potential consequences of user actions. You can't just say, 'I don't like users to download these particular kinds of files.' Then the execs will be thinking, 'Why is he bothering us with this?' You have to tell them, for example, that viruses can cause a loss of critical data."
Generally speaking, many administrators are finding formal policies the best way to go. "I have learned that unless (a policy) is on paper, it doesn't hold up," says one administrator. "Implied security policies don't cut it. What I consider 'wrong' may not be considered 'wrong' by the next guy."
All too often, though, companies don't even implement security policies until an incident actually takes place. Notes Hinojosa: "Then the executives will be saying, 'Oh my God, our accounting reports are gone! How could this have ever happened?'"
Jacqueline Emigh freelances for several leading technology and business publications. She was previously a senior editor for Sm@rt Partner Magazine, and before that, a bureau chief for Newsbytes News Network.
This story was first published on CrossNodes, an internet.com site.