What would be more disastrous to a Fortune 500 corporation: an employee who chronically shows up late, or an employee who chronically breaks security policies and puts the company's valuable information at risk?
What would be more disastrous to a Fortune 500 corporation: an employee who chronically shows up late, or an employee who chronically breaks security policies and puts the companys valuable information at risk?
The greater threat of employees harming security may seem obvious, but I-managers must set firm policies and drop the hammer when necessary on employees who break those policies, experts said.
Businesses and government agencies alike face the challenge.
At the Department of Defense, the network recorded 245 intrusions in 2000, 96 percent of which could have been avoided with top-notch security policies and technologies, according to Army Col. Larry Huffman, who commands the network operations center. And 38 percent of those intrusions were the result of poor security practices among employees, he added.
Administrators should carry out "ruthless enforcement" of security policy, advised Lt. Gen. Jack Woodward, deputy chief information officer at the Air Force.
The Air Force is building an enterprise portal that provides access to all Air Force services, depending on access privileges, the first of its kind in the military.
The service is treating its network as though it is a weapons system, Woodward said. "If a computer goes down, it was attacked until proven otherwise," he said. "And you must punish users who break the rules."
According to representatives from both private and government organizations who spoke at a security conference, punishment should depend on whether the policy break was intentional, negligent or simply a mistake.
Patrick Milligan, manager of security strategies and technologies at Ford Motor, said he feels comfortable holding employees accountable for security mistakes because each of them must pass a certification process to access those systems. "So if theyre certified to be there, theyve been educated to be there.
"Weve had security breaches in the company and we tell the person exactly what damage theyve caused, both in terms of financial loss and reputation of the company," Milligan said. "But in many cases people are absolutely getting let go."