Tips for creating a security culture in the workplace
By AdvocateDaily.com Staff
In this age of company secrets sometimes walking out the door with employees, organizations need to heed Ronald Reagan’s 1980s-era motto about nuclear disarmament — trust, but verify, says Ryan Duquette, principal of Oakville-based Hexigent Consulting.
“I think many employers are very trusting of their employees, and that is great. But there are a number of things they need to be aware of,” he tells AdvocateDaily.com. “Insider threats are just as big a concern as external hacks into an organization.”
Every business needs a cybersecurity policy, and what it consists of depends on what they need to protect, Duquette says.
He offers the following advice to executives and human-resources managers:
- Recognize that data security is every bit as important as other business functions, such as operations, sales, marketing and finance.
- Identify what you want to protect — you can’t protect everything — and put controls in place to guard those things.
- Build a corporate culture of security across the organization that includes everyone — from the CEO to the janitor.
Creating a culture of security can start at the job-interview stage, says Duquette who recently appeared on Rudner Law's Fire Away program to discuss cybersecurity and the digital activity of employees.
“Before you even bring someone on board, ask them a few questions about how they handle data security and see how they react. It’s important to have some of those questions baked into your interview process,” he says.
Employers should be transparent about their data-security policy, letting employees know from the get-go that company-owned devices may be monitored, Duquette says.
Employees should also be required to sign a document that indicates they have read and understood the data-security policy, Duquette says. It’s also beneficial to provide security training to employees at the same time to reinforce the message.
The danger period for data theft is usually the two months before an employee decides to leave for another job, he says.
“When people give their resignation, that’s when you have to go back and look at their activity in the two months prior. That’s when they would probably start gathering what they want to take with them,” Duquette says.
When undertaking an investigation of a current or ex-employee, several factors must be considered, he says.
- Make sure you have the authority to proceed, and that management and the legal team are backing the investigation
- Review the corporate security policy
- Check for compliance issues — many organizations such as banks and health-care institutions have to comply with regulatory frameworks.
- Check privacy laws of the jurisdiction where the employee is working
- Focus the scope of the investigation — it can’t be a fishing expedition.
“There may be other factors to consider depending on your organization and the type of investigation you are conducting. Always consider that any investigation that you conduct on an employee may result in legal action and potential litigation,” Duquette says.