If safety is the best policy, IT security follows closely behind. Out of all the policies in your handbook, few are as critical. While security policies don’t get much fanfare when they work well, botching them can have dire consequences. Look no further than the latest high-profile data breach in the headlines for an example of what can go wrong.
We sat down with Daniel Leslie, Namely’s Director of Information Security and Technology, to find out what makes a strong policy. Below are some of his tips for HR professionals looking to tackle the job for the first time.
1. Don’t use size as a reason to procrastinate.
When is the right time to get started on your IT policy? Yesterday—regardless of how many employees you have. Even small businesses can be responsible for information belonging to hundreds, if not thousands, of clients. Don’t wait until hitting an arbitrary headcount number to get serious about security.
Understandably, resources are short at smaller companies or fast-paced startups. If you’re strapped for time, jump into building an incident response plan first. This outlines the company’s response to a range of incidents—everything from a misplaced laptop to full-scale hacker assault.
According to Leslie, this is one area in particular smaller companies can’t brush off. “Things are going to happen, for better or worse. You need a structured way to manage those events.”
2. Include the fundamentals.
So you’ve decided to draft an IT security policy. There are number of key things you’ll need to include for it to be successful.
First, establish an access control policy. Access control is the process of determining who gets access to sensitive information. For example, your marketing team likely doesn’t need day-to-day access to the same information as finance or billing. A sample access control policy might look something like this:
"Company will provide all employees and other users with the information they need in order to carry out their responsibilities in as effective and efficient a manner as possible. Access to private information will be limited to authorized persons whose job responsibilities require it, as determined by an appropriate approval process, and to those authorized to have access by local, state, or federal law."
In addition to access control, be sure to address acceptable use in your policy. This term simply refers to what employees are permitted to do on a laptop, device, or any other company resource. That means setting ground rules on what type of programs employees are permitted to download, what kind of websites they access, and even whether they’re able to use removable media like flash drives or USBs. For most companies, a simple bulleted list might be enough here.
Last but not least, make sure your policy follows local and state requirements. Oftentimes these rules are industry-specific. For example, New York businesses within the financial services industry need to meet robust, state-mandated cybersecurity requirements. While every jurisdiction has its own rules, here’s a rule of thumb: the more sensitive information your company manages, the more likely it is that you’re in an industry with legal minimum requirements.
Even though we just scratched the surface, that’s still a lot to take in. Give yourself a head start by using some of the free policy resources available online. One reputable source Leslie recommends is the SANS Institute, which features an exhaustive list of templates here.
3. Empower employees and managers.
You won’t get anywhere acting like a one-person enforcement agency. You’ll need executives and managers to serve as your policy champions and to “practice what they preach,” as Leslie puts it. Focus the bulk of your energy training people leaders, and then empower them to serve as your eyes, ears, and even voice on the ground. For small HR or IT teams, doing so is more a necessity than a tip.
And new hires—what sort of training should they receive?
“Workshops, not trainings!” Leslie has a strong opinion on the matter. To him, the best sessions are collaborative and not just rehearsed messages from the top-down. He runs his security workshops in-person, serving more as an informal moderator than hard nosed instructor. “You can say, ‘here are the mechanisms in place and why we have them,’ but make sure employees feel safe and empowered to question them.”
If security is a shared company value, workshop participants need to feel like they actually have a direct impact on the matter. Don’t go into these meetings with enforcement on your mind—instead, focus on what Leslie terms “enablement.” He finds that even the word “enforcement” can cause employees to become defensive, and not receptive to the session.
Leslie recommends a lighter touch. “Instead, the message should be ‘here are the expectations, we’re here to do all we can to enable you to follow them.’”
4. A clean desk is a more secure desk.
Don’t forget that an effective security policy goes beyond just what’s displayed on a screen or stored in a hard drive. Be sure to include a “clean desk” rule in your policy, which is exactly what it sounds like. In the interest of protecting company and client information, employees should keep any loose folders or papers locked away in their desk.
To encourage that behavior, you can do your part by having a paper shredder onsite for employees to use. If your company handles a lot of paperwork on a daily basis, there are services that will provide you with secured bins that later get hauled away for shredding.
Why wait for spring to start cleaning? If employees are already buried alive in clutter, hold an office party for them to spruce up and bring order to their inner hoarder. It’s also a great way to spread awareness of your clean desk policy.
5. Stay in the know.
Even if you don’t have a full-time IT or security professional on payroll, it’s important to stay current with new rules and best practice. Leslie recommends adding one or two security newsletters to your weekly HR reading list. You can also subscribe to the Namely newsletter for HR and policymaking tips, as well as compliance updates.
Additionally, don’t be afraid to turn to your own network. You aren’t the first HR professional to think about IT and security, and you won’t be the last. Groups like HR Open Source provide their members with an open forum to ask questions and get feedback.
To be successful, HR professionals often need to wear a lot of hats—one of those being of a technology pro. Even when full IT teams exist at a company, HR will still need to work closely with them to protect the company and employees against security threats. Unfortunately, the two teams don’t always see eye-to-eye. One survey found that 56 percent of IT professionals believed they didn’t receive enough support from HR to do their job effectively.
To help solve that problem, Namely partnered with BetterCloud to publish a new white paper, HR and IT: The Engine Behind Employee Experience. Inside you’ll find how to make security a part of your organizational culture and how to ensure HR and IT are in lockstep through the employee lifecycle. Click below to download the free white paper.