Developing a security culture within an organisation is about encouraging staff to respect common values and standards towards security whether they are inside or outside the workplace.
The awareness of security amongst staff – their vigilance when conducting everyday routines, for example – is an essential layer of an organisation’s protection and staff training, regular drills and internal communications play an important part. But so does the manner in which a business reinforces its words through its actions.
If an organisation wants its employees to act appropriately then it must provide an environment that sets an example. For example, if staff are required to keep paperwork securely locked away but they are not provided with sufficient storage (or broken locks are never repaired) they may question the management’s commitment to security.
But security culture is about more than facilities and procedures, it is also about creating an open, trusted environment that is focused and proactive about reducing risk for everyone’s benefit.
Senior management support is vital in order to demonstrate the value placed on security. If the Chief Executive is seen not wearing a pass it sends a message to others that management do not take the policy seriously.
Line management relations
Staff with direct line management responsibilities are in prime position to influence attitudes amongst colleagues and address any behaviours of concern amongst their staff.
Through their regular contact it should be a part of their duties to ensure their teams are acting appropriately and ensuring that data handling standards are maintained – even with staff working in different locations. It might even be added as part of each line-manager’s job description.
Including individual security behaviours in any performance appraisal process ensures that all staff are assessed in a transparent and regular manner.
Employees who work in more sensitive positions should be asked to complete an annual security appraisal form to determine any changes in their personal and financial circumstances which may pose a risk to the organisation’s security. An example form is available in the annex of Ongoing Personnel Security, available from www.cpni.gov.uk.
There are personal or private circumstances which may impair an individual’s judgement or performance (for example, a relationship breakdown or financial difficulty). Where possible, organisations should offer an environment in which employees can discuss problems in confidence and find out about where and when support can be provided (e.g. cases of illegal drug use or personal debt). If staff feel compelled to conceal their concerns, it may encourage some to become disaffected with their employer and possibly more susceptible to manipulation.
In larger organisations a hotline or email account could be offered for staff to report, anonymously or otherwise, any suspicions or actual incidents of illegal, unethical or improper conduct by their colleagues, such as bullying, failure to adhere to security procedures, fraud or theft.
Providing a reporting hotline does raise a number of legal issues that need to be resolved. Organisations should seek legal advice first.
Responsible handling of documents
Sensitive, confidential or commercial documents should be appropriately marked with clear instructions about handling when outside of the workplace. Staff should be fully aware of their responsibilities when in possession of such documents, for example never working on them in public, never leaving them in a parked vehicle and making use of any safe or safety box facility when staying in a hotel.
Clear desk and work areas
A clear desk policy requires documents and other items, including keys and removable objects of value, to be locked away when the office is unattended, particularly at the end of the working day. This should include any papers left on printers, photocopiers or in meeting rooms. Valuable or sensitive documents, in particular, should not be left lying around or on display at any time.
Some of the material that businesses routinely throw away can be of use to a variety of groups including business competitors, identity thieves, criminals and terrorists. Staff names and addresses, telephone numbers, product information, technical specifications etc., can all be of value to such people.
Valuable paper documents may require shredding, incinerating or pulping. In addition, a central point for returning old IT equipment (obsolete laptops, old media disks, flash drives and so on) should be provided so that all data can be safely removed.
The importance of security within an organisation should be emphasised through regular communications with staff. This might be in the form of posters, leaflets and intranet, but should also include face-to-face activities such as training programmes, management forums or programme of talks and workshops. (See the section on Staff training and awareness which includes downloadable posters and templates.)