Seven steps to improving IT security among staff

If you’re serious about creating awareness among your workforce to the security risks that healthcare providers face, Dominic Saunders, senior vice president of the NETconsent business unit at the London office of Cryptzone, a technical security company based in Gothenburg, Sweden, offers this seven-point action plan:

• Action 1: Rewrite your IT security policies and procedures. Use a language that actually will be understood and not just impress an auditor. Spell out the risks the organization faces for non-compliance.

• Action 2: Consider changing the way you introduce security as part of the induction process. Smaller, more manageable documents are easier not only for the recipient to grasp, but also for the organization to review and update. In addition, by drip feeding the information, people are more likely to find time to read it and build a deeper awareness of security issues while reinforcing elementary security fundamentals.

• Action 3: Review and update processes regularly, and that includes regularly reminding your colleagues. Just because John in accounts had a security briefing when he joined the company 10 years ago doesn’t mean he knows what the risks are today. Educate staff regularly to make sure they still understand what’s expected of them and especially when things change.

• Action 4: Consider using an automated system to deliver policies and associated documentation directly to employees at their workstations. This makes the whole process manageable for you both.

• Action 5: Introduce testing, either for all or a proportion of users. This will help to identify where policies aren’t understood so they can be rewritten to make sure everyone knows what they are doing and, as importantly, why. You’ll also be able to identify weaknesses and therefore focus training energies to the necessary areas.

• Action 6: Get your employees to agree in writing to key policies so you know that they’re onboard. As part of the process, include the consequences if they break the rules. That said, make sure that they understand that genuine errors are expected and should be reported, not ignored or covered up.

• Action 7: Take action against offenders. If people see policies being enforced consistently at all levels within an organization and where appropriate disciplinary action is taken against those who willfully neglect corporate rules, people are more likely to take notice of security information. When employees realize the circumstances and the consequences of security policy violations for them as well as for the organization, it nudges them to choose the right course of action and perhaps be more prepared to encourage others to conform to standards of behavior within the acceptable governance framework.