CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Security

Security and individual responsibility

SAP's Sachar Paulus says that if companies fail to turn security into a collective responsibility, they risk losing the war.

Security concerns about the vulnerability of technology now command attention at the highest levels of government on both sides of the Atlantic.

But despite knowing about the potential risks of a disabling software virus attack, the private sector still remains reluctant to make security its top priority.

The resulting security breakdowns occur because there's a perception that security is only the responsibility of a company's information technology security officer. That is a mistake.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


A company that fails to correct that impression may inadvertently foster a casual attitude among employees, who then naturally view security as outside of their day-to-day purview. Yet it is these very activities--most of them haphazard, others occasionally intentional--that allow a major disruptive virus to invade an IT ecosystem.

The important task of changing a company's culture begins by informing employees about the importance of security. Turning this into a collective responsibility is less difficult than it sounds at first blush.

In most cases, employees can take relatively simple actions and use common sense to help safeguard important company information. It is surprising how much impact a vigilant attitude can have. As IT plays a greater role in all society operational functions, changing

Changing employees' mind-sets about security will become increasingly critical.
employees' mind-sets about security will become increasingly critical.

Making security a high priority for each employee begins with a company culture that stresses how much each individual contributes to a company's overall IT security. Security improvement has to be part of the big picture, and everyone must feel personally responsible for his or her designated area.

There are specific steps companies can take to foster a culture more focused on security. For starters, management should invest in security training and educate the work force about best practices. It's the simple stuff--such as encouraging employees to reset their own passwords--that can ease the IT staff's burden.

It's the simple stuff--such as encouraging employees to reset their own passwords--that can ease the burden placed on IT staffs.
Companies also need to articulate a thorough security policy. But it should be a simple version--a kind of "Top Rules" document--for everyday usage. These five or 10 basic rules may serve as a central point in bringing security precautions into everyday work. It would also have the ancillary effect of creating a culture that makes each employee responsible for the assets of the company, while drumming home the bigger message that taking security precautions is part of the job.

Highlighting the risks
IT security needs to be viewed as a strategic priority that enhances productivity and improves the way the business functions. Security measures that protect against unauthorized network access are obviously necessary, but that only tells part of the story. Individual users also need to get the message that opening e-mail attachments from unknown sources or using one's own name as a network password are also security risks.

The responsibility falls on individuals to observe sound practices throughout the workday. This includes resetting pass codes regularly, avoiding the use of birthdays and names as passwords, and being conscientious about logging out when working from a remote or public location.

Other practical steps that can be taken each day include: never writing down passwords; using care and caution when opening unknown e-mails; not leaving CDs or confidential documents out in the open; and, most importantly, notifying the appropriate specialist to solve an IT problem rather than trying to do it alone.

As security budgets grow and threats continue to mount, companies should begin to educate employees and instill cultures that encourage individuals to take responsibility for IT security. IT security should be viewed as a strategic aspect of the business--one that affects customers, vendors and employees and has an impact on the bottom line.

The costs of being shut down or paralyzed by a security breach can be tremendous. Educating employees and encouraging them to take action can be a far more cost-effective alternative.