In the security field we hear a lot about the insider threat. There have been plenty of well publicized incidents of internal employees, contractors or ex-employees stealing information, or deleting information or leaving some other kind of destruction before they leave an organization I'll cover this topic in more detail in a future post.
While this certainly does happen, it's not prevalent. Call me an optimist... but I think that people generally want to do the right thing.
And this is where the problems begin. Sometimes those who make the rules and enforce the rules just make it too difficult to do the right thing!
The first issue is that the rules are often not straightforward. Sometimes information/security policy, ethics policy, rules of conduct and even legislation and requirements are confusing and even conflicting. (I can hear you say "sometimes???" :-) The key is that we need to translate and simplify this material to make it accessible. If there are conflicting rules, then partner with legal to figure out an interpretation for your organization. Use FAQs, intranet articles and other vehicles to further clarify the decision points.
After you've clarified the rules, people how to find out what you want them to do. As we discussed in last week's post, people need to be able both easily find, and easily understand, your organization's information policy, interpretations and awareness material. Where do you post this information? Is there a security intranet website? Do people know where it is? Do you provide training on this material? We'll talk about security awareness in a future post.
And how easy is it for people to do the right thing? Do you have preventative technical controls that actually make it more difficult to do the right thing? In an earlier post I talked about ineffective security. Review the implementation of your policy and your technical controls to make sure that it's easy to do the right thing.
Catch them being good! If people are doing the right thing, make sure you have some way of recognizing this. I can be as simple as thanking someone, for instance if they assure that a co-worker badges in rather than tailgating.
Finally, walk the talk... be sure that you are doing the right thing. And that you are helping others to know, and do, the right thing!
How do you help make sure people are doing the right thing? And how do you assure you are doing the right thing?