Being from the security compliance team it is my primary responsibility to make people more aware and responsible towards the security of the data they process. In one such training there was an interesting question:
Why there are so many security controls,why can we not work in a control free environment?
I closed the question by replying – to safeguard our data from the bad guys.
Later in the day I pondered on how much money every organization spends on loads of security infrastructure. Is it really worth it? After all, against whom are we protecting our so-called “Critical / Sensitive” data from? Obviously we are not protecting our data from animals or extra terrestrial, we are protecting our data from those human beings who probably love to disrupt the good things. Should our employees be denied of control-less internet or email when most of us spend more than 12 hours in our offices and some of us also work on weekends, and the only way to connect with our friends is through social networking websites, emails, and web-chats. Now if all this is blocked siting the reasons such as “Security reasons”, “client requirement”, “Regulatory compliance requirement” etc… then I’m sure it affects the Employee Satisfaction levels within the organization. So what do we as “Employees” can do so that there are not so many security controls implemented and we do not feel caged when we enter our organization and love our jobs:
1. Use internet judiciously and responsibly – Restrict the time spent from office to not more that 60 min a day on social networking or personal email and chats
2. When accessing public emails we need not download attachments onto our work systems.
3. Is there a need to upload the photo of your cubicle on your Facebook / twitter or any other social networking site ? – I don’t think there is any reason to do this, so lets avoid posting snaps of our work place when is it really not required.
4. Learn to differentiate between work data and your own personal data. Do not transmit work data using personal email ids. This is violation of service agreements our organization has with its customers.
5. Remember, when we sign our appointment letter, we are accepting to the terms and conditions set therein. One of the terms and conditions is “The artifacts/documents/ software code etc… which you develop during the course of your employment are the property of the organization” (Language or grammatical variations in this terms and conditions is possible) So always avoid the temptation especially on the last working day to copy our work data on a pen drive or email this to our personal email id. Agreed that we created it, but we also got paid for it(salary, perks etc) so we don’t own it when we leave the organization.
6. Gadgets like fancy pen-drives are not needed be brought at work place. The organization understands the importance of its data and has made arrangements to regularly back it up so there is not need for us to take a backup on our personal devices. If the organization has not made necessary arrangement, ask your management to invest in backup infrastructure.
8. Forums and Personal Blogs – Yes these are some innovative and intelligent means to reach out to masses, but hang on – are we posting any work related info here? Is it required? I guess no!
This is what I call – A right and fair balance between freedom and security!