Skip to content

Tag: Policies

Security Policy Language Shortfalls Contribute To Disgruntled Employees

Firstly, I hope everyone in the USA had a wonderful Thanksgiving! Now as you have finished that Black Friday shopping and are home now, lurking on the Internet for something to read, I’ll contribute a blog post here.

Ask anyone who works in a Cybersecurity role and they will tell you that one of the most concerning threats to a company is a disgruntled employee. You see news stories about a breach or compromise of data occurring and it gets reported as a disgruntled employee was the cause.

That’s where the story ends, with the blame firmly placed upon the disgruntled employee in question.

My question is this, should the story end there?

The answer, in my humble opinion, is a resounding no.

Why was the employee disgruntled?

Sure, most of us ask that question whenever we begin reading one of these stories but as we continue on and learn about the horrible actions the disgruntled employee in question took and how bad the breach ended up, we for some reason stop asking that question.

Answering this question as you can imagine could become a lengthy discussion. I’m not going to go into all the possibilities here as that’s simply not possible for one person to do. I would encourage any company to have such a discussion however as an ongoing topic. Such “internal debates” would be most useful.

One area where I have seen there can be marked improvement is how policies are communicated.

As should be the process with any security policy, simply communicating what a policy contains in the annual security training through HR is not enough. You need to explain WHY a policy exists, how it protects the company AND how it can protect the employee. That information should be encompassed within the policy document itself to which all employees are provided. Doing this one thing can prevent so many issues.

Here’s an overly simplified example of how to communicate a cloud storage security policy:

  • To prevent an employee from inadvertently opening a malicious file allowing for malware to infect the work computer.
  • To prevent the unauthorized dissemination of company documents and/or data.
  • To prevent potential access by a nefarious individual to an employee’s non-work personal files should the work computer become compromised.

This last point shows how the policy protects the employee. Providing an example scenario for this last point can help gain the employees appreciation for this policy.

An example I have used is to demonstrate this potential danger for an employee is where the employee sets up Google Drive and has it sync files between the cloud and their work computer. The work computer is a stolen. All the data on that work computer potentially is in the open, including their personal files. This usually drives the point home with the employee.

Let’s look at another example, access restrictions for web based email services such as Gmail, Yahoo Mail, etc.

  • To prevent inadvertently click on a malicious link in an email allowing for malware to infect the work computer.
  • To prevent the unauthorized dissemination of company documents and/or data.
  • To prevent a nefarious individual to access your personal communications should the work computer become compromised.

Again, demonstrating within the policy itself that protections for an employee’s personal data and/or information is one of the reasons for that policy.

The take away here? Explicitly having language in your policies that show how and/or why an employee’s information is being protected is necessary.

I know, this discussion was very much oversimplified but I think it demonstrates the concern here. Companies say all the time that “employees are their most important asset”. When you draft company policies that have withing them the very points of how policies help protect employees, you demonstrate that employees ARE valued assets.

That active demonstration of corporate “values” can make all the difference in a corporate culture. There is so much to gain from this mindset and so little to lose from the effort.

Until next time!