The biggest threat to the security of any company’s data is not hackers or other external threats, it’s from the firm’s own employees. It is true that Japan is a little better than most countries, thanks to employees being more inclined to follow the rules. Nonetheless, a recent Cisco-funded survey found that about 21% of IT managers suspected that their users were sharing PCs and other devices with unauthorized users.
Further, there have been numerous incidents over the last five years where thousands and sometimes millions of customer records and other data have been leaked into the public domain. Now that the Protection of Personal Information law exists, combating data security issues is not only a moral obligation, it is a legal one as well.
There are many ways for information to be removed from a network, and an equally large number of electronic countermeasures that can be used to protect against this. Certainly we will be going into this later in the column series. However, since employees are the biggest risk factor, and since they are human, I think the best way to counter information leakage is through user education which results in a positive attitude towards security, and clear rules.
User Education
The first step to good “hygiene” in information security is to have your employees feel that security is important and what they should do to ensure that data stays safe. They need to be familiar with what the policies and rules are, and feel comfortable that not only are they meeting those requirements, but that they are communicating to their colleagues and new employees the same values. A good start is to run a series of seminars that everyone is obliged to attend. Make the seminars available over a period of different times of the day, so that salespeople who are always out in the afternoon can get to a morning session, and managers who are closeted in other meetings all day can get to an evening one.
Content of these seminars should be simple, but clear. It’s a good idea to introduce early on what negative impact a data security leak can have on the company, so that the need for the seminar is firmly established in people’s minds and they become more accepting of the rest of the message. Other content for the seminar should include:
1) Introducing the concepts of data security
2) How regular employees can be secure in their own work environment
3) How to recognize a security breach, what to do about it, and who to
report it to
4) Some of the specific rules and regulations formulated by the company,
5) Some of the major points of the actual Protection of Personal
Information law.
Guidelines and Rules
Raising people’s awareness of security can be as basic as having employees handling sensitive information to label such materials as “Confidential”. The actual level of confidentiality required for a particular piece of information and whether it is even needed, needs to be communicated clearly and in writing, for future reference. If you don’t have a security manager or IT manager in charge of security, then have your HR team and Compliance team get together on drafting these guidelines. There is plenty of information on the web about other companies’ policies and rules, and of course your team should read the wording of the actual law.
A factor that many companies overlook in drafting their guidelines and rules is what to do in the age of Web 2.0. Much as in the Hays case we discussed in an earlier column, you need to be telling your staff what they can and cannot do when out on the web. Business networking sites, Web 2.0 applications, and remote email software are all great conveniences and often cheap or free, but putting information out on them can make the company vulnerable. Clearly some decisions have to be made, what to allow and disallow. Personally I’m against over-protection, unless you’re a bank or similar company with industry mandated rules.
There is some additional documentation you can do as well – which although weak in the Japanese courts (unfortunately) nonetheless do provide an education and deterrent affect. Firstly, you should ensure that there is a confidentiality clause in your employment contracts, defining what is confidential information and the employee’s obligations in handling such information. Secondly, those employees leaving the company should be signing a separation agreement that has them declaring that they are meeting their obligations and not removing information without permission (such as name cards and other customer data).