The scoop on security policies

Think your company’s too small to need one? Think again.

I’ve had the pleasure of meeting readers in New York and Washington, D.C. as part of Network World’s Remote Office Networking tour, and it’s been great. Most of the attendees are large company IT folks, but the feedback they’re giving applies to companies of every size.

Take heart, if you’re struggling with security issues for your three- or 30-person business, some attendees manage 20,000 remote users and have the same problems you have: how to let employees connect securely to the information they need when they’re not in the office.

So let’s talk about security, and the need for a security policy. All the rage in corporate IT, security policies outline exactly how users access network resources and the security responsibilities of the users to protect company information. Sometimes committees get involved and write a security policy so long it comes out in two large binders.

Here’s a brand-new Gaskin Guideline: Your security policy loses half its readers for every page after the first one. In other words, if you have three pages, maybe a quarter of your users will read it. If you have five, maybe 7% will. I base this formula on years of watching users avoid reading things they don’t like, especially poorly written mandates about subjects they avoid whenever possible.

If your security guideline is one page – and one page only – you can demand (and expect) that all users read and at least try to follow the guidelines.

Do you need a security policy if your company employees can all fit into the same car? Yes, if only to impress upon them how serious security issues are for companies large and small. You also need to write a security policy that clearly explains what you want, what you think is important and what you want employees to do.

One quick anecdote from an attendee in Washington, D.C.: “Executive management often says they understand security, but they only understand it intellectually, not viscerally. You can tell this is true when the CEO signs the security policy, then demands you make his password his initials.”

That’s the voice of experience, unfortunately. So what should your security policy say?

Every employee must protect company assets, and that means locking the electronic door just as you lock the door to the physical building. All data on company computers, including laptops, belong to the company and the user must take every reasonable step to back up the data and protect the computer from hackers. This means keeping the operating system, personal firewall, and virus protection software up to date and active on the computer. Passwords are personal and are not to be shared. Careless handling of company data can mean lost profit, lost revenue, and may create serious civil and criminal liabilities for the company and employees.

Security policy offenders are handled in a variety of ways, but consistency is unfortunately not the norm. Some offenders are fired, some reprimanded, some have a bad report on their personnel file making it tougher at salary review time. You need to decide which infractions deserve which penalties.

Do users share passwords? All the time. The problem occurs so often that most of the remote access-service providers include an alarm and default error report when two users with the same username and password access the network at the same time. Sometimes that indicates a hacker, but most often it means one user compromised the company security “just a little bit” for the noble goal of “helping a co-worker out of a jam.” People punch timecards for each other, share keys to open doors they aren’t authorized to unlock, and help when a password is forgotten or the user needs access to data their security profile blocks from them.

Do users forget to back up their desktops in the office and their laptops on the road? Absolutely, especially the laptops (as we’ve talked about recently). And the only reliable answer to this problem is to find a way for company IT to schedule and manage the backups.

Here’s what big company IT managers hope to learn at our Remote Office Networking seminars: how to connect local and remote users reliably and securely to the network with the lowest cost but highest management controls. If you’re trying to reach that same goal for your small business or home office, you have lots of company. You also have lots of new options, which I’ll continue to cover.