Staff buy-in: Your company needs you

• Article 13 of 33
• SC Magazine, February 2008
• View the original article online

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages

TOP TEN TIPS FOR YOUR STAFF

1. Make sure that all redundant equipment, documents and waste are removed as appropriate. It's no use protecting data on your PC if it's on your desk for everyone to see.
2. Lock your workstations when left unattended and log off at the end of your working day.
3. Don't share computer passwords except under the most exceptional emergency circumstances.
4. Don't make your password easy to guess. It should be at least eight characters, different for each account and not based on personal things such as dates or pet names.
5. Organised crime is at work and the average criminal is more motivated to steal from you than you are to defend yourself.
6. If you have a laptop, don't leave it on display in your car. Get a laptop cable lock. Many thefts are crimes of opportunity.
7. Avoid working in a public place, you never know who's watching. If you must, get a privacy protector.
8. Do not connect devices such as iPods, USB drives or even CDs to your PC without checking with IT - these can all carry malicious software.
9. Don't reveal details of your work security with anyone. If someone is trying to break in, they'll try to get as much information as possible.
10. If you think something is suspicious, report it. Many crimes are successful because earlier, unsuccessful break-in attempts weren't spotted by the right people.

CASE STUDY: RICOH
Japanese digital office-solutions company Ricoh has nearly 82,000 employees and offices in more than 150 countries. Three years ago, the company decided to go for a single global certification for ISO27001.

Kevin McLean, information security manager at Ricoh Europe, has been in charge of the EMEA aspects of the certification. “In order to achieve the certification, we created a project team. The team worked with the IT, HR and facilities management departments to establish the information security management system (ISMS) with a focus on access control, from IT systems to buildings. Recruitment policies were reviewed to cover the management of contractors and permanent personnel.”

However, McLean knew that employee awareness would also be a vital part of both certification and the company's security policy. “While we strive to be as strong as can be with physical security, it can all be undone by people,” he says.

So he and his team created a security awareness programme. They began with pilots in a number of offices, including the company's European HQ in London. They also set up ISMS business representatives groups, bridging units at each pilot area between their own division and the rest of the company, which met to decide activities and projects designed to improve employee awareness. “We tried a number of things to see how they were received.” Since the pilot project at the HQ was in a relatively small area, it was possible to take advantage of “water cooler” chat to discover how much of the message was getting through. Managers told them that more staff were wearing ID badges, clearing their desks at the end of the day and performing other actions they had been advised to perform.

To get the message across, the unit devised initiatives including informal launches, articles on the intranet, a staff handbook and mandatory awareness training. Staff were also given free gifts, including a personal alarm and SIM card replicator, to reinforce the security message. A set of “11 commandments” based around the “DOIT” slogans ('protecting documents, office and IT') further added to the message.

“HR and marketing helped come up with the slogans,” recalls McLean. “And HR were able to tap training and similar resources.” Seminars and workshops involving role-playing allowed staff to explore security issues related to their working day. “Employees weren't interested in big picture stuff. It was all about 'How does this affect me?'”

Although Ricoh now has the certification, McLean says the programme will continue. “We're always going to be improving it.”

WORKING WITH OTHER DEPARTMENTS
If security is seen as an IT issue, it will be left to the IT department to sort it out. Apart from the crippling amounts of extra work, that will mean security being someone else's problem rather than an issue for the whole company. So it's important to get other departments to work in conjunction with IT to ensure that the security message gets through and is seen as everyone's concern.

This usually involves board-level support as well as a “bridging unit” or a business relationship manager, depending on the size of the company, to liaise between IT and other departments. If you can get funding from those departments, they will be far more committed to the issue than if they are merely asked to give up their time.

Page 1 | Page 2 | Page 3 | Page 4 | All 4 Pages