Today, employee error and otherwise casual approaches to security is causing serious harm to a great many organizations – and to employees themselves.

Bad outcomes from abuse of systems and content abound.  Employees have been busted for surfing porn, for e-mailing clients with unflattering characterizations of inside-business, for divulging sensitive business secrets and details, for defaming co-workers, for wasting business time with all manner of personal business – the list goes on…

Recognize that whatever you do is basically captured for review by appropriate organizational authorities.  Further, the discipline of eDiscovery now mines data and coughs it up, splaying it for the world to see.  Deleting content is of little use:  Data is merely flagged as overwritable –disc space is marked as being open when needed for new content; but until it is overwritten, that data is retrievable with tools.

Further, even when data is eventually overwritten in this regard, it’s likely still available on backup media, yet gathered there before it was overwritten in the active environment, and now harbored for virtually an infinite review.

Browser histories are also available this way.  Don’t count on their deletion as being any kind of protection.  In the realm of data, and to be safe, assume everything is permanently available for review and use.

At many orgs, there’s no lack of training – and there’s no lack of associated policies:  Acceptable Use, Content Management, a general Security policy; all regarding protection of systems, data, e-mail guidance, internet access and allowable use, etc. 

There are warnings about use of systems for personal use, with thresholds of defined abuse.  In other words, and in an obvious example, no one begrudges someone receiving a modest amount of personal e-mail through the “work system,” with the occasioned print of something or other.  But too much use of work resources for the conduct of personal affairs is not at all prudent.

But whether quarterly, semi-annually, or annually, various training is often treated as an inconvenient interruption to business.  Many employees regard it as either a nuisance, or a goof-off day.

But the real objective as concerns security is not training in and of itself – nor any particular measure, or test, of employee adherence to goals and values at some pinpoint moment in time.  Rather, the objective is an ongoing, seamless, and active security awareness on the part of employees (as supported by regularized training and updates – nothing remains the same).  Awareness of what not to do, and what to do.

The only real way to maintain awareness and protection is to instill a valid eCulture at your place of business.  eCulture comprises many things, and we’ll examine more in coming posts, but a couple warnings and tenets apply:

-          In the realm of risk, unmanaged possibilities become probabilities

-          All activity in the truly modern organization is viewed through security’s prism

In fact, a useful way of embedding a modern security awareness, in support of eCulture principles, is to tell employees they must wear “security glasses” – these “glasses” force the preeminent consideration – security – for every action and activity undertaken by individual and organization alike. 

All sorts of useful examples and analogies can be created, but what’s worked for me, quite well, is to counsel organizations to put on their security glasses, with lens of security prisms. 

Employees quickly learn to view everything through that security prism:  Exercising safe and best practices. 

The “glasses” (with signage, reminders, etc.) force awareness.  It is simple…  and powerful.

On this day:  In 1893, the first Ferris wheel premiered at the Chicago Columbian Exposition