Make Awareness Programs Count
Aug 1, 2007 12:00 PM, By Eric Cowperthwaite
A security training and awareness program should be more than a mark on the regulatory compliance checklist or a way to satisfy the auditors. It is, fundamentally, an ethical obligation of the company leadership, part of the commitment between employees and the company.
We hold employees responsible to adhere to policies and standards and other governance controls, and we apply sanctions when an employee fails to meet those obligations. That creates a dilemma if we are not investing in a true training and awareness program.
When an employee breaks a rule and claims to have done so unintentionally, it is easy to argue that it is his or her responsibility to know what the policies are. But since employees may be put on “performance plans” or even lose their jobs because of unintentional policy violations, and since the damage to the company is the same regardless of the employee's intent, let's not be so quick to dismiss the issue.
Over the years I've been involved with a number of cases in which post-incident claims of inadequate training or awareness programs compounded problems for the company, the employee or both. There was the employee who had postponed the installation of mandatory encryption on an assigned laptop three times. Consequently, when that laptop - holding the confidential data of 22,000 people - was stolen from the trunk of the employee's car, it was unencrypted, and it was also unattended. These were two violations of formal, explicit policies, and yet, although the cost of the loss was more than 1,000 times the cost of the laptop itself, the employee was only counseled. Why? Because the employee had not had appropriate training and was not aware of the policy requirements or the need to apply specific controls to the laptop and the data it contained.
Another case: An employee was using a company-owned computer to download and view pornographic videos from the Internet. The employee was fired. When the employee challenged the termination in court, the court found that the organization had not adequately trained the employee.
It is our ethical responsibility to provide good training and awareness programs rather than “check the box” programs — the kind that actually help our employees to do the right thing, for the protection of both our organization and our employees. Such a program will also reduce the risk to our customers, employees, data and assets. Doing the right thing is good business.
Eric Cowperthwaite is the chief security officer of Providence Health & Services, which has 29 hospitals and more than 50,000 employees located in five Western states. He is a member of the Security Executive Council (www.csoexecutivecouncil.com/?sourceCode=access).
Want to use this article? Click here for options!
© 2012 Penton Media Inc.
Today's New Product
|
Privaris Biometric Verification SoftwareIn support of the Privaris family of personal identity verification tokens for secure physical and IT access, an updated version of its plusID Manager Version 2.0 software extends the capabilities and convenience to administer and enroll biometric tokens. The software offers multi-client support, import and export functionality, more extensive reporting features and a key server for a more convenient method of securing tokens to the issuing organization. |
advertisement
This month in Access Control
- Targeting The Customer
- Electronic Pedigrees
- One Hero Among Many
- Who? What? When? Where? Why?
- More from September's issue
Latest Jobs
advertisement