I was having lunch with a group of IT department staffers when the conversation turned to the rash of virus-related worms that have plagued our organization over the past few months. Too many times, I said, an unsuspecting employee has opened an e-mail attachment from an untrusted source and introduced malicious code into our network.
To my surprise, one person asked, "How are we and other employees supposed to know not to open certain types of attachments?" I was stunned. We have an orientation program and policies that have been published to educate employees on the acceptable use of IT resources, I explained.
They looked at me with blank stares. None of the half-dozen people at that lunch table -- a mix of veteran staffers and new hires -- had ever seen our IT security briefing or the published security policies that I had labored so hard to produce. Yet we had posted the policies on our intranet six months ago, and they're supposed to be required reading for every employee.
In addition, I had given the human resources department a copy of our security policies and a PowerPoint presentation that it could use to explain them to new employees. HR was supposed to be using the slide show to brief all new hires during their orientation workshops.
What happened? Unfortunately, there isn't a procedure to require new employees to read the policies or a sign-off mechanism to ensure that they have read and understand them.
In addition to developing the presentation for new hires, my department had broadcast several e-mail messages to current employees, with a pointer to the IT security Web page that contains our policies, procedures and guidelines. That page had received just 560 views from a population of more than 6,000 employees.
I proceeded to follow up by scheduling a meeting with HR. The woman I spoke with was new; the HR representatives I had dealt with before had left the company. She said she had seen the IT security presentation but wasn't aware that HR was supposed to be using it. And her priority, she noted, was handling things like payroll and benefits.
She did assure me, however, that she would eventually review the materials and start presenting them.
Clearly, it wasn't registering with her that this might be important. So I explained how the recent virus outbreaks had consumed countless numbers of man-hours and caused much frustration within the IT department.
As it turned out, the HR staffer remembered someone calling her to schedule a virus removal on her own workstation, but she had no idea of the magnitude of the problem.
This recent virus infestation could have been minimized or avoided altogether, I said, if users had read and followed the security policies.
Then I brought up the incident regarding an employee the company recently terminated after he used company IT resources to share and distribute child pornography online. If that user had been aware of the acceptable-use guidelines and known we might be monitoring that activity, perhaps he would have thought twice before engaging in unauthorized or illegal activity on company time, I argued.
Taking further action
In the end, to get things back on track, I agreed to participate in the new-hire orientation program by making the security presentation to new employees until the HR staff felt comfortable enough to run through it itself.
In light of the virus problems we've suffered of late, I decided to spend a few days reviewing and editing the slides to include some additional information about malicious code. So far, I've spoken at one orientation session. Not surprisingly, most of the inquiries were about e-mail and how to handle suspicious file attachments.
I also distributed handouts with the address for our IT security Web site and contact information for members of the security team.
It's every employee's responsibility to periodically review the company intranet for new information and to review policies and guidelines, I stressed. And I explained that by reviewing the policies, employees can help the company identify suspicious activity and prevent malicious code from being introduced into the network.
But that's not enough. I'm considering hosting a series of brown-bag lunch meetings and asking the HR department send out e-mails stressing the need to adhere to and understand security policies. And I'm looking into deploying new tools that can help me enforce policy dissemination.
What I need is a Web-based application that can track which employees have viewed the policies and whether they have read all the ones that apply to their job functions. Depending on the job, certain policies apply more than others. For example, a marketing representative doesn't need to understand the Unix remote access policy.