Wednesday, June 28, 2006

Companies Start Holding Employees Responsible for Portable Device Security

Via WallStreetJ -

The burden of lugging around laptop computers for work around the clock is getting heavier as companies place more of the responsibility of guarding against theft and other security lapses on their employees.

A number of companies, including Aetna Inc., Fidelity Investments and the U.S. unit of ING Groep NV, are revising their policies about how employees should handle confidential data stored on computers. Many employees are facing new restrictions on who can take confidential records out of the office and are receiving special training on how to keep data secure. Workers found violating security policies are being disciplined, or even dismissed.

Boeing Co. now requires laptops to be physically locked with a cable to a stationary object at all times, whether they are in offices, conference rooms or a car, so that no one can walk away with them. The aerospace giant has stepped up enforcement of a rule that confidential data must be accessed only on company servers, not stored on laptops. Boeing officials have started conducting random audits of laptops to check for unauthorized or unsecured files.

Some companies, including Aetna, the big health insurer, have begun telling employees that they can't use their own portable digital assistants such as Palm Pilots and BlackBerrys on company computers without permission. Other companies are disabling extra USB connections on workplace computers to make sure employees can't attach those accessories. And some even ban MP3 players in the workplace, security experts say. All these devices may lack encryption, and can be used to smuggle out confidential data.

"Employees are the weakest link" in securing data, says Jon Oltsik, senior analyst for information security at Enterprise Strategy Group, an information-technology industry analysis firm.

Before traveling on business, Marian Mays, payroll operations manager in Boeing's Seattle office, has started having her laptop examined by the company's security personnel to make sure she doesn't have any sensitive data stored on it. Once she is on the road, logging on to the company's server requires multiple passwords. "You just have to deal with it," she says. "We get creative with the passwords."




Wait a second! Perhaps I am confused....but how is this news? You mean companies are just now getting around to "disciplining or even dismissing" workers found to be violating security policies??

I think it is news that they haven't been doing this all along....someone write that article.

If any multi-million dollar company hasn't been doing this for years....they have a problem - plain and simple.

A policy without teeth to back it up is useless. Security isn't just about closing ports or upgrading software. Policy is a huge part of security. It controls the human factor.

It is impossible for a company to come down on any employee if no policy is in place for that security issue.

Moral of the story - Refine and Build up your corporate security policy. Then make sure you follow up with good teeth on those employees that do not follow policy.

No comments:

Post a Comment