Are Your Security Rules Creating Risks?
Rules are made for a reason. Rules are supposed to make things better. Rules are supposed to make things safer for everyone.
But what if the rules actually make things worse?
A poorly written policy, and a team that is not educated and excited about the policies, can result in putting your organization at risk. This usually happens when employees are more focused on complying with rules than keeping the business secure.
Consider this situation
You need to fire an employee for not doing their work after a failed rehabilitation.
The next step is to set up a meeting with yourself, the employee, HR, and legal. After telling the employee the news of their termination, you ask them for any work-related items they created (which is on their personal laptop since you allowed employees to utilize their own devices).
The employee refuses though.
Why?
They respond, “According to the NDA I signed, I am not to discuss my employment, including any documents with any employer past or future.”
HR turns to legal for insight. Legal just shrugs and says the employee is technically correct. The employee leaves without sharing any documents.
While this situation seems a little out there, if you aren’t being careful policies can and will be used against you and your management.
In this situation the NDA policy may cost your organization valuable work, but what if following a policy ended with a ransomware attack? What if it slowed down your team’s response time to a critical data breach?
The problem with a lot of policies, including policies on security, is that they do not communicate why an employee should care. Oftentimes, these policies lead to a culture of distrust and dissatisfaction across the team.
What can you do about this?
Educate your team on WHY security is important.
Instead of just instructing your team regarding cybersecurity, why not demonstrate how they are putting their data at risk? Understanding why habits and actions can put the company at risk and ultimately affect everyone can encourage your team to find a path to a solution.
Give them training that makes sense to them.
Most of the time, training is simply lip service. People pay attention to training to pass a test at the end. It’s in one ear and out the other. Instead, how about engaging with your team and creating memorable training. Make it an experience instead of just another thing to check off their to-do list.
Create policies that work with your team.
There’s no one size fits all training. If you aren’t clearly communicating compliance and policies with your team, you will see lip service to the rule or following bad rules instead of doing the right things.