Security and individual responsibility
SAP's Sachar Paulus says that if companies fail to turn security into a collective responsibility, they risk losing the war.
But despite knowing about the potential risks of a disabling software virus attack, the private sector still remains reluctant to make security its top priority.
The resulting security breakdowns occur because there's a perception that security is only the responsibility of a company's information technology security officer. That is a mistake.
 | ||||
| | | ||
| Get Up to Speed on... Enterprise security  Get the latest headlines and company-specific news in our expanded GUTS section. | | ||
| ||||
| ||||
The important task of changing a company's culture begins by informing employees about the importance of security. Turning this into a collective responsibility is less difficult than it sounds at first blush.
In most cases, employees can take relatively simple actions and use common sense to help safeguard important company information. It is surprising how much impact a vigilant attitude can have. As IT plays a greater role in all society operational functions, changing
| Changing employees' mind-sets about security will become increasingly critical. |
Making security a high priority for each employee begins with a company culture that stresses how much each individual contributes to a company's overall IT security. Security improvement has to be part of the big picture, and everyone must feel personally responsible for his or her designated area.
There are specific steps companies can take to foster a culture more focused on security. For starters, management should invest in security training and educate the work force about best practices. It's the simple stuff--such as encouraging employees to reset their own passwords--that can ease the IT staff's burden.
| It's the simple stuff--such as encouraging employees to reset their own passwords--that can ease the burden placed on IT staffs. |
Highlighting the risks
IT security needs to be viewed as a strategic priority that enhances productivity and improves the way the business functions. Security measures that protect against unauthorized network access are obviously necessary, but that only tells part of the story. Individual users also need to get the message that opening e-mail attachments from unknown sources or using one's own name as a network password are also security risks.
The responsibility falls on individuals to observe sound practices throughout the workday. This includes resetting pass codes regularly, avoiding the use of birthdays and names as passwords, and being conscientious about logging out when working from a remote or public location.
Other practical steps that can be taken each day include: never writing down passwords; using care and caution when opening unknown e-mails; not leaving CDs or confidential documents out in the open; and, most importantly, notifying the appropriate specialist to solve an IT problem rather than trying to do it alone.
As security budgets grow and threats continue to mount, companies should begin to educate employees and instill cultures that encourage individuals to take responsibility for IT security. IT security should be viewed as a strategic aspect of the business--one that affects customers, vendors and employees and has an impact on the bottom line.
The costs of being shut down or paralyzed by a security breach can be tremendous. Educating employees and encouraging them to take action can be a far more cost-effective alternative.