Imagine your best employee who is found downloading pornographic material on his/her work PC. HR Manager decides to dismiss them for gross misconduct. Your employee files a law suit for unfair dismissal claiming they were not aware of the policy about pornographic material download at work? Who is in the right?
Let’s state the obvious: employees should really not be using corporate systems to have access to pornographic material. However employers and employees alike must understand that businesses face legal exposure if they do not treat corporate security as a business risk and implement proper policies, procedures and solutions.
In this particular example a court could easily find the dismissal to be unfair. Although the company’s communications usage policy does classify accessing pornography as gross misconduct the employee had not seen the policy because management had made no attempt to circulate it to all employees. Moreover it did not apply the policies consistently and equally. The court could further take into account the fact that employee had an excellent record when deciding whether the decision to dismiss was reasonable. The employee could therefore have a claim for unfair dismissal claims.
When organizations think about security they tend to consider IT security only. Over the past few years most Irish organizations have relied on their IT departments for security. If a security breach occurred it had to be the IT Managers or their staff’s responsibility. This rather restrictive approach left out a number of key elements which all organizations now need to take more seriously. There are actually a number of legal, operational and commercial issues surrounding corporate security in addition to technical matters.
Firstly one needs to consider the legal aspects of corporate security. Data Protection (DP) law is the best starting point. The DP Act 1998-2003 defines how data – “information in a form which can be processed” relating to employees, and customer and third party data should be treated. Data protection easiest definition is the “ safeguarding of the privacy rights relating to the processing of personal data”. The DPA confers not only rights but also responsibilities on how data should be processed. This affects every organisation in Ireland.
There are also other legal aspects of corporate security including, but not limited to, Spam, Copyright – IPR, Confidentiality, Contracts, Industry Specific Legislation and Professional regulations, Licensing – Compliance, Harassment at the work place, Computer Crime, Director’s Liability, Privacy Rights. One also needs to consider company and individual rights, responsibilities and exposure in the broader context of corporate security.
So how does an organisation make sure it complies with the law and how can it increase security levels? For security strategies to be successful they must be driven by senior management, implemented by line managers as well as respected and understood by all staff. The answer is more than likely in security awareness schemes.
Raising security awareness levels and corporate means that senior management must address the following points:
· Physical and people security: How do you physically protect the organisation’s and employee’s assets? How do foil social engineering attacks
· IT security: Are you sure that only the right employees access the right systems at the right time? Do you educate your employees and make them aware of the value of corporate assets and confidential information?
· Legal liability: Do you realise that breaches in corporate security and non compliance with current legislation relating to Data Protection can result in your employees or customers bringing legal proceedings against your organisation?
· Productivity: just how much are non-work related surfing or emails costing the organisation? Do your employees realise the impact this has on the organisation`s productivity and success?
· Corporate culture: corporate IT security begins by building a corporate communication culture where the management team and employees understand and share the same corporate values and work together to preserve them.
Security Industry key players recommend that you train staff, use easily applicable examples and follow these guidelines:
· Have a single point of contact who is ultimately responsible for promoting best security practice and dealing with issues surrounding security. Appoint a security officer.
· Treat security as a value add and business enabler. This applies both to the organisation protecting its corporate assets and good names as well as to employees learning new skills, working faster and thus enhancing their individual careers.
· Make security awareness training a platform to enhance team spirit and corporate culture.
· Use plain English and give basic technical or legal information where required. For instance if you expect employees to be able to spot virus outbreak they must be taught what types of viruses to look out for.
· Do not take the big brother approach. For a start there are legal limitations as to how you may monitor employees usage of corporate communications systems. Moreover users must see e-mail and Internet as business enabling tools.
· Do regularly update policies and procedures. Maintain and upgrade technical systems which support policies. Where possible plan for the worse and devise disaster recovery plans to ensure business continuity.
· Give key staff regular re-fresher courses. HR Managers, IT managers or fraud managers are the most likely to need ongoing training as they will deal with security breaches, have to apply disciplinary procedures and take corrective action. This MUST be done legally and be easy to roll out.
· If you feel that your organisation does not have the time or expertise to deal with corporate security outsource the legal aspects to IT legal firms and the technical aspects to IT security experts. The ROI will be quick.
Mathieu Gorge is Managing Director of IT Security Consultancy firm VigiTrust. VigiTrust partner with Dublin based legal firm Merrion Legal who provide legal advice on issues surrounding corporate security. VigiTrust deliver security customized awareness workshops on site at clients offices and also hold generic introduction workshops in conjunction with Merrion Legal each month in the Westbury hotel. For more information please contact email@example.com or ring 01 4100864.