By Larry Kovnat, Senior Manager of Product Security, Xerox Global Product Delivery Group
Security is something that we all think we understand. So why is it so hard to attain good security? I think it’s because most people believe they have an understanding of the threats in their environment. I grew up in a big city. I always lock my car. My wife grew up in Rochester – years ago she never thought about locking the car. This simple example reflects the informal “training” we each received growing up in our respective environments. Threats that may exist in one place don’t necessarily exist in another.
I think that’s where people get tripped up. It’s why computer security is so baffling to so many. And it’s why it’s so important for the IT organization to put a great deal of effort into security awareness and training. Otherwise, it is very easy for people to make simple mistakes that could result in very serious security breaches.
Consider the consequences: Under regulations like the Health Insurance and Accountability Act (HIPAA), or industry standards like the Payment Card Industry Data Security Standards, organizations are responsible for protecting the personal data of individuals. Any compromise of the data could lead to embarrassing headlines, fines, or even prosecution of the organization’s principals. Therefore, it’s essential that everyone in the organization understand the sensitivity of the information they’re dealing with, and know the proper procedures for handling it.
Awareness is key: Regular communication to the members of the organization about security policies and best practices is a must. To be effective, the communication should be repeated often, using as many different communication vehicles and methods as possible like posters, emails, web postings, social media, etc., says John Folkerts, Director of Xerox Information Security. He says, “Security training done well turns every employee into a member of the virtual security team. We try to engage each employee at Xerox with required training, periodic communications, and reinforcements from senior management.”
A good security program should also include the availability of more focused training and employee education. For example, Sue Zak, Manager of Xerox Technical Engineering Services & Learning says, “We provide a security learning path to ensure our development teams understand key security concepts, secure coding principles, and the value of examining security risks early on in product development.”
That’s a start at a few ways to keeping your employees informed. The more they know, the better. What are your thoughts?
You can find more information about Xerox and security at our website www.xerox.com/security
Hi Larry,
Xerox ACS Security assessments help firms by taking a look at architecture, processes and policies to plug security holes. The assessment in conjunction with training, periodic communications, product security may help companies deal with security issues both internal and external.
Dinesh, Good add. This is an excellent way for companies to measure their current state, initiate improvement actions, and generally underscore the importance of information security behaviors among the rank and file.