The human element in IT security

The air express industry, like many other businesses, has rapidly transformed the way it serves customers over the past few years, through the aggressive and ingenious use of the latest IT. FedEx spends more than $1 billion every year on IT. Frederick W. Smith, founder of FedEx, once said, "The information about the package is as important as the package itself."

But these advances come with a price: the need to protect the system from damaging viruses, accidental data breaches and even deliberate attacks. Breaches can often start in a very personal way--with friends over a cup of coffee, at a café where employees go with a work PC and surf the net or do personal e-mail. Most of us are familiar with the technology fixes that form one side of the picture, including firewalls, passwords and digital certificates. However, the policy that supports these is equally important.

It is becoming vital for any successful global business not only to have an excellent security policy in place, but also to ensure that the policy is prioritized and communicated in an efficient and meaningful way.

A Vital Protection Tool

In the last six months in the U.S. , nearly 40 percent of firms surveyed by the Computing Technology Industry Association reported a major IT security breach. How many of these could have been prevented by considering the human element in the workplace? Many stemmed from the accidental loss of a laptop, Blackberry, or mobile device; employees using unsecured networks from home to conduct company business; or employees downloading unapproved software onto the company network. An effective security policy is, in short, a vital protection tool for any kind of enterprise.

The paradox is this: security policies often do not make it onto the management's radar screen until the organization has a major security incident. But the most effective policy is not one that is developed during a crisis, but rather, one that is developed, updated and communicated continuously after a systematic review of security needs.

The question then becomes, how are the best security policies developed? Large companies and those with the most at stake have put significant resources into this area. FedEx delivers more than 3.3 million packages each working day and the information that goes with them, and understands the significance of solid IT security--not only in the server room, but also in the boardroom.

Pathway to a Policy

In a global corporation, a security policy is most effective when it is aligned with the company's business strategies at both the headquarters and regional level. Otherwise, issues such as varying risk tolerance levels among business units and cultural differences between the legal and business sides of the operation may arise. Security policies also need to be cost effective and be constantly communicated. Everyone in the company needs to be responsible for IT security--not just the IT department.

Step 1 -- Legal Compliance

Look at areas where you are legally obliged to have security policies in place. Complying with the relevant laws will mean you have the right controls in place before you are audited or face any new cyber threats.