With an increasingly high level of security threats like the ones exposed on the nightly news, it’s tempting for IT departments to lock everything down. However, your staff needs – and expects (especially the younger generation) – a certain level of freedom to work efficiently and productively. The best security policy balances the needs of staff, the IT department, and the people who entrust their data with you: your members and constituents.
The case for less security
Each end of the security spectrum has its own risks and rewards. A security policy with fewer restrictions may grant staff more admin rights to install programs or use their mobile devices freely at work. A lower level of security may make the work day easier for staff, and allow them to get work done faster. IT staff won’t have as many support calls to install and update programs. Until one of those updates isn’t really [insert name of downloadable software], but is actually malware. That’s the risk of a more hands-off approach.
But, on the other hand, is more security better?
Having more security reduces the risk of breaches, but does come with its own challenges. When staff aren’t able to do as much on their own, the IT department is naturally required to provide more support and oversight. For example, staff may be allowed to use their mobile device for work, but only with a mobile management program overseen by the IT department. Or, a policy requiring a password change every 4 months means IT staff is answering more help desk calls.
Security is not just about the devices themselves
Security isn't just a technical concern. A good security policy addresses association-wide issues.
- If a security breach occurred and confidential data were compromised, do you have a crisis playbook? Do you have a response team? Does that team include staff with crisis communication skills?
- Do you segregate data by its level of importance and, therefore, security requirements?
- Is staff trained to spot and avoid social engineering attempts to breach security? Do you test to see if staff is using default passwords?
A balanced security policy works for everyone
Your security policy should include input from IT and non-IT staff to include a variety of perspectives and needs. More importantly, before a security policy is implemented, everyone on staff must understand why and how they, as individuals, should comply.
Staff compliance with your security policy will help protect your association against known threats, but it’s only as good as the knowledge and expertise behind it.
Budget for a security audit. A security audit is not the same as a technology or IT audit. It’s a focused audit performed by security specialists. Get a security audit before something happens. You don’t want to be the association sending a “Target letter” to your members or have your network go down during a trade show. Or, even worse, you don’t want to be a target for intruders who want access to your members’ networks and data.
Leverage your relationship with the providers of your existing antivirus packages. What percentage of the package are you using? A phone call with one of their software engineers to discuss your situation could be worth thousands of dollars. An incremental increase in the licensing fee may give you additional modules that will provide major deterrents to hackers.
Remember The Club for cars — the locking device for steering wheels? Think of additional security as The Club for your organization — if hackers see it, they’ll walk on by to find another target.
Next up, we’ll review the elements of a sound security policy.
Looking for more information about information security? We’ve got you covered. Check out our eBook The Cybersecurity Watchlist for Association and Nonprofit Executives for more information on threats to your organization’s security and how you can prevent your data from being compromised.
Flickr photo by Asim Bharwani