September 17, 2015

Security Governance: The Latest on How to Make it Company Culture

Security governance should be deeply embedded in company culture, said box.com blogger Justin Somaini.

“The actions of each and every individual can be the difference between a secure workplace and a compromised one. We need to build organizations where security informs every employee’s interaction with technology and information.”

Here are ways to create a culture of security.

  1. Always start at the top. Changing culture is hard and has to start with the CEO and leadership team, wrote blogger Somaini. “Executives should foster an open and transparent dialogue that supports security initiatives and anchors them in the company’s core values.”
  2. Don’t confine security to IT. Information security must be integrated across all departments. A recent Gartner end-user survey showed a growing trend for establishing primary security function outside of the IT department.
  3. Be creative in employee training. Enlist the help of communication experts – ask your marketing department or a third-party, advises the 2014 Security Awareness Programs report from Wisegate. Use webinars, newsletters, posters, and video. One company created a video that showed how to be more secure at home – the company thought employees would be interested in it personally and much of it would translate to work. The 2015 State of the Endpoint Study showed that 78% of respondents say negligent, careless employees who don’t follow security policies are their biggest threat.
  4. Target all aspects of the workplace with your business security plan.  Educate employees about information security at the office, on the road, and at home, advises the Wisegate report. On-going training and a mobile workforce policy will help change an often negligent out-of-the-office mindset.
  5. Break down barriers. Employees may be afraid to voice security concerns for fear of getting into trouble, writes a blogger at informationsecuritybuzz.com. Create a friendlier environment with identifiable ‘security champions’ in every department (who have been trained on security awareness), advises Wisegate. Host informal coffee sessions for employees to meet with security champions and air security concerns.
  6. Make security seamless. Embed security procedures into workplace processes. A Clean Desk Policy, for example, helps protect confidential information at individual work stations and throughout the office. A Shred-all Policy protects information when it is no longer needed for compliance or other purposes.  
  7. Keep things personal. While encryption, anti-virus software and other data protection technology are helpful strategies, on-going employee training is also important. For example, teach employees about phishing schemes that use social engineering to steal information. Also, make it a policy to never throw documents or memory sticks or other e-media into the garbage or recycling bin.
  8. Make document destruction easy. Partner with a document destruction company that has a secure chain of custody with locked consoles for documents that are no longer needed, security trained personnel, and secure shredding. Regularly scheduled service will help demonstrate the importance of information security protocols to your employees.
  9. Protect stored digital information too. Don’t stockpile old computers. Your document destruction company should provide hard drive and e-media disposal as well.

Identify security loopholes in your organization with a DIY information security checklist and learn how secure shredding services can help you improve security.