Adopting an open corporate culture means empowering and trusting your employees. Today, companies use an increasing amount of sensitive data, such as financials, performance metrics, competitor intelligence, or customer information. The way in which employees use and manipulate this data internally without exposing the company to legal risks is a daily challenge for security teams.
Tools such as enterprise social networks and trends such as BYOD are further opening up significant risks, making IT teams face pressure to protect IT assets while expanding the company’s potential. What issues should be considered, and what measures can be taken to protect company data in an open corporate culture?
Multiple security concerns
Security covers a vast array of topics, but when viewed through the prism of companies with an open culture, the following concerns seem to be cited most often:
Access control: Who can access systems? If the answer is “only people with corporate emails,” what about contractors and external users, such as the partners with whom your employees need to interact?
Governance: In an open environment such as an enterprise social network, people can share things freely, often creating discrete groups. Data compartments are therefore created organically, and they become places in which corporate management cannot easily exercise control
Intellectual property (IP): Employees can easily share protected IP with their colleagues; thus, the company may be exposed to legal risks without knowing it. In contrast, when content is created by collaborating with external users in collaborative environments, the IP boundaries may not be so obvious.
To mitigate security risks, IT leaders can use a wide variety of technologies, such as encryption, password management, user account deprovisioning, and associated access control mechanisms. But while adopting such technological solutions is mandatory, they are not enough. There are other soft measures that will not provide any technical enforcement but that gravitate around the stepping stone of an open company: people.
Make employees accountable for their behavior
For decades, the very first thing many companies have done is produce security policies when they grant employees access to their IT resources. Some experts suggest including those security policies as part of an employee code of conduct, which everyone must read and accept.
This effectively makes every employee accountable for his or her actions. However, many experts have noted that these policies should be kept short and simple to be effective; otherwise, employees will simply ignore them.
No policy document will ever make your employees security experts. For example, some employees may post confidential information on an ESN that does not have restricted access.
Therefore, it’s critical to complement policies with security training sessions that every employee must complete. These training sessions should help employees understand the threats, the consequences of their behaviours, and the associated risks.
Furthermore, senior leaders should be briefed on any security awareness program and be responsible for passing the message down to their teams. The leaders themselves must follow security restrictions completely.
One simple technique is to include security markings, such as “Confidential,” “Public,” or “Restricted,” on all your document templates.
This does not have to be overly complicated. The simple presence of the markings will prompt authors to think about confidentiality when they write a document and choose the appropriate mark. On the other hand, readers will inevitably see it when they share documents.
It may sound simplistic, but this method is so effective that companies like CISCO have adopted it globally.
Develop security zones
Some tools, such as collaborative software or document repositories, often contain all kinds of restricted information. However, access to these platforms is typically offered to all staff members, including contractors, and sometimes partners or customers.
When so many people can view information, it can be easy to become confused about who can see what. You can help employees determine whether they are in a confidential or public area by using visual cues (such as color codes and logos) or naming conventions, that are easily spotted and that indicate whether it’s a safe place to share an information.
Create security awareness channels
Security teams are often short on staff, so they struggle to make other employees understand what they do. Security concerns are often far from the minds of average employees, who have their own daily concerns. It takes a lot of pedagogy to explain security issues and keep people thinking about them.
In an open work environment more than anywhere else, you can create dedicated channels, such as mailing lists or discussion forums, where your security team can post information to keep other employees updated on security threats, incidents, and policy changes. These channels are ideal places for letting employees ask questions, raise concerns, and notify you of security alerts.
Create a culture of data protection
The tips suggested above for enforcements and incentives should help protect your company data, especially in an open corporate culture where so much relies on the people.
No technology can provide perfect security, which is why many experts recommend making security an integral part of your corporate culture.
Just as exercising is part of creating a healthy lifestyle, behaving safely when it comes to company data should become part of your employees’ work lives.
Data security practices must be aligned with your business strategy so you can find the right balance between risk and business agility. Of course, not all companies face the same challenges, but every company can create a culture of vigilant security.