Education can reduce the risk of security breaches
Education can reduce the risk of security breaches
Proper documentation reduces threat of lawsuits
The next virus might be more damaging than Melissa, but information technology (IT) personnel know that the biggest threat to the security of a computer system may be someone sitting in an office down the hall.
"If we look at the larger picture, hackers tend to be mosquito bites," says Frederick Tompkins, information security advisor for Unisys Corp. in McLean, VA. "Our biggest problem is with the authorized insiders. They characterize anywhere from 55% to 75% of the problem."
Since IT personnel can’t avoid risks, they instead should learn to manage it, he says. One way to manage risk is to identify the vulnerabilities of the system. Tompkins says he hears about security assessments that reveal networks at risk because the IT personnel responsible for them haven’t applied all of the current security patches.
"Security is not an event. It’s a process. You can’t do it one time and think you’re safe two days from now," he says. "You’re going to operate systems with some degree of risk anyway. What’s critical is knowing the risks and making informed decisions about the potential impacts and consequences of doing or not doing things."
Uneducated employees pose great risk
Health care providers may consider the risk of viruses and unauthorized access by authorized users when they attempt to secure their computer systems. But have they considered the potential risk of not properly educating their employees about their responsibilities as system users?
"If you don’t tell people what is expected of them, how can you expect them to follow the rules?" Tompkins asks. Consider these points:
1. Employees who use the computer system should understand the general concept of security issues, he says.
2.Employees should be trained in the responsibilities that they and other common users have.
To accomplish this, Tompkins recommends holding security briefings for the users who have various levels of system access. For example, the first briefing may be for senior management. The second may be for mid-level management, and the third for day-to-day users of the system.
In these briefings, the users should be asked to sign a policy statement from senior management saying what is expected of system users. The statement, which should be general in nature, should outline their fundamental responsibilities, such as protecting their passwords and not sharing them.
Also, the statement should inform employees that they may be audited on both an announced and unannounced basis. Laws in some states require this notification.
"It’s best to inform people that they are going to be audited on their use of the Internet and the corporate system," Tompkins says. "They also should [be told in the briefing and on the statement] that using a personal computer at work doesn’t mean they own it or anything that’s on it. What’s on the computer belongs to the company. The company provides the resource and is paying employees to use it.
"Misuse of corporate resources may be a termination offense providing you have the right policies in place," he adds.
Tompkins always holds annual security briefings and has employees re-sign the policy statements. The signed statements should be a condition of giving new employees a user ID, too, he says.
The statements have settled authorization disputes for Tompkins several times. "I had some inside people who tried to exceed their authority in the system. They said they didn’t know they didn’t have access." To challenge their claims, he went to the human resources office and pulled the signed statements out of their files.
Additionally, Tompkins says some states require a front banner on computer screens that warns that use is limited to owner-authorized access. Some states also require that the banners warn that the system is protected by a security system.
"If you don’t have that notice, if employees do something wrong, you cannot take them to court because there wasn’t sufficient notice," he points out.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.