85.7 F
San Fernando
Friday, Mar 29, 2024

Don’t Be An Ostrich: Managing Employee Digital Misbehavior

A combination of disgruntled employees, former employees and poor systems management are the cause of great harm to businesses today; however, much of the harm is avoidable. This column provides practical recommendations that you, as a business manager, can implement and oversee to ensure your critical digital information is reasonably safeguarded against insider abuse and misuse. What are you safeguarding? First, of course, you want to safeguard critical digital assets electronic files that are of value to your company. Value, of course, is subjective. Suffice to say that any electronic information that a business wants to protect, as its own, can be considered a critical digital asset. Examples include digital versions of intellectual property, confidential or proprietary information, trade secrets, and the often ignored, regulatory protected and risk-prone “private” information about employees or customers. Critical digital assets are very portable and available, thus increasingly subject to employee abuses intentional and otherwise. These assets reside in electronic data storage devices of all kinds – user workstations, corporate servers, PDA’s, flash/thumb drives, cell phones and other portable storage devices. Don’t forget iPods they are also storage devices. The risk environment and where to start Digital misbehavior by employees can be costly from both a productivity standpoint (thus, a profitability risk) and from the loss of business standpoint (e.g.; confidential data gets into the hands of ex-employees that are now with a competitor, etc., or a breach of private information occurs that could bring on local or federal privacy compliance actions and litigation). Preparing proactively to mitigate these risks is by far the least costly approach. It all starts with a few of the following practices, which involve your HR leadership, and your counsel. Analyze your business and determine what is really at risk, digitally. Know who you have working for you now and in the future. Do this by asking questions such as: – What are you protecting, specifically? – Who should and should not have access to it? – What kind of workforce do you have and what are their typical digital and computing behavior patterns and acumen? – Do they present high levels of risk, given their duties and computing prowess, or not? – Do you have information that requires particular treatment and processes, given its regulatory status such as private customer information, etc.? Then, in conjunction with counsel, begin with outlining or augmenting your company’s current operations and policies to comply with State or Federal Privacy laws, and other regulation as related to your specific industry, as applicable. Create an Acceptable Use Policy (“AUP”) that illustrates the regulations and expectations of employees using your systems. Consider, as well, specific handbook policies that govern digital-oriented inventions, trade secrets, and the like. Next, ensure that your computing environment is supportive of the controls necessary to manage employee behavior, such that misbehavior is mitigated as much as possible. The objective of these controls is to prevent what is known as “data leakage.” Take into consideration the answers to the questions above, particularly as they relate to knowing what you want to protect, and from whom, and, equally importantly, where it should live, physically. Then, plan for misuse, because information is so frequently scattered away from the source of origination. Implement practices to enforce, manage, and report on controls. Here are some suggestions for doing this: – Use hardware and software technologies that manage policies regarding web usage, data accessibility, information portability and storage, multimedia device usage (iPods, thumb drives, etc) and synchronization of PDA’s and cell phone data. – Implement tools that allow you to specifically control the nature and extent of Web sites and site content that users are allowed to see, when they can see it, and manage who among your users may need more or less of these controls. – In concert with established policies, your business can manage, limit, and monitor the data that is sent and received over internet, via your own email systems, and web sites that provide utilities of various kinds, such as web-based email (e.g.; not necessarily your business’ email, but that of the employee, such as AOL, and the like) and web based storage services. – Put in place software that monitors the network to ensure that only approved software applications are in use, among all devices on the network. This can keep the risks of harm from employee-owned, or other malicious software, to a minimum. – Consider deployment of software tools to control the nature of devices allowed to connect to your computer network, as well as to ensure that information stored on external drives are encrypted by company-owned systems, thereby making them worthless if found by others, unless the device is authenticated on the company network. – Issue computing and communications devices only to employees that are configured, secured and monitored in accordance with your business’ AUP and other enforcement policies and practices. We strongly recommend that all devices used by your employees for business purposes are owned by your business. – Last but not least important, be sure to implement tools to protect critical digital assets from viruses, spam, worms and a host of internet-based vulnerabilities, to the level of each workstation and laptop; and ensure that all emails inbound and outbound are scanned by these tools. These tools work in concert with devices and software that protect a business’ systems from external abuses, such as firewalls and other intrusion detection products and remote computing software and practices, to enable outside-in protection, augmenting the inside-out data leakage protection from the practices recommended above. The bottom line is to consider just how much control is appropriate for your specific risk environment. Considerations will include cost vs. benefit and employee morale, among others. In any event, be sure to establish, and follow through with the management, of policies and practices. Robert P. Green, CPA.CITP and Rick Mark are practice leaders with insync Information Management, LLC, working with executives of growing businesses by providing objective IT advisory and outsourced IT management services. Reach them at [email protected], and [email protected], or call 1-877-insync7, extension 650 and 660, respectively.

Featured Articles

Related Articles