We have rules for a reason. To make things better and safer for everyone. But what if those same rules created to help are actually making things worse?
A poorly written policy, and a team that is not educated and energized regarding those policies, can result in putting yourself and your team at risk. This happens when everyone is focusing more on complying to a rule than keeping the business secure.
Consider the following situation:
Imagine that you needed to fire an employee for not doing their job. First you tried to rehabilitate them, but it was clear nothing was working.
Next, you set up a meeting with you (their manager), HR, Legal, and the employee. You give him or her the news and then ask them for any work product he or she created. (You had let employees bring their own laptops to work, so much of their work product was on their personal machines.)
The employee refuses.
Why?
They respond, “According to the NDA I signed, I am not to discuss my employment, including any documents, with any employer past or future”.
HR turned to legal for some insight. Legal responded that they were technically correct. The employee walked out of the room without sharing a single document.
This type of problem might seem a little far-fetched, but if you aren’t careful, policies can (and will) be used against you and your management.
This NDA policy might cost this business valuable proprietary work product. What if following a policy ended up in a ransomware attack? What if it slowed down response to a critical data breach?
The problem with a lot of policy—including security policies—is that they do not communicate why an employee should even care. And often times, these policies lead to a culture of distrust and dissatisfaction across the team.
What can you do about this?
Get your team to understand WHY security is important.
More than simply telling them they need to do specific things, like change their passwords or not keep sensitive files on their desktop, why not get them to see how they are putting their data at risk? If they understand why their habits or actions are putting them at risk, they will see a better path towards a solution.
Give them training that makes sense to them.
Often, training is simply lip service. I wish this weren’t true, but most of us (there are the few exceptions) attend training days as a day to learn. Most often, people pay enough attention to pass the test at the end. It’s basically in one ear and out the other after they walk out of the training session. Get them to learn something. Training needs to be an experience, not just a place where they are told not what to do.
Create policies that work with your team.
There is no one size fits all compliance program. And if you are not communicating compliance in a way that your team understands why they’re following rules, you will see lip service to the rule (or even worse, following bad rules) rather than doing the right things.
