How to create a security policy that sticks

 Elizabeth Millard, The Daily Record Newswire

When it comes to data security, experts often advise companies to put an employee security policy in place, and to have employees sign the document to prove they’ve read it and understood their responsibilities.

But let’s face it — most likely, the associates and partners in your firm are too busy reading client contracts to pore over the details of a boilerplate agreement that’s grouped together with other HR paperwork.

Yet security policies can be a vital part of keeping a firm’s data secure, and providing a weak policy is an opportunity missed. Here are some tips for what to include in your firm’s policy, and how to include enforcement in the mix:

Don’t use a template: There are many security policy templates available, but resist the temptation. The most effective policies are those that cover specific technology used by the firm. Also, be sure to revisit your security policy every couple years to make sure it still covers all of the company’s technology assets and procedures.

Write in real language, not IT or legal speak: Even if your firm frequently deals with complex contracts, that doesn’t mean everyone at the office has a legal degree. Don’t skimp on legal protection, but definitely create a simplified version that can be understood by everyone from the intern to the senior partners. Sometimes, this requires two separate versions; be sure to have employees sign both.

Be particularly clear on password management: Bad password management can bring a company down quickly, believes Martin Thomas, co-owner of St. Paul-based Lotus + Lama, a computer consultancy and Web design firm. Make sure articulate password policies to employees in a way that’s clear and understandable.

Include information on training: A security policy is important, but it’s only one small part of a larger strategy. A firm should also include security training on a regular basis, and let employees know that they’re expected to keep that training fresh. Gary Brown, vice president at Synnefo Technology Solutions, says, “Once someone has been here for three or four years, we expect them to go back through that security training so they’re up on the latest information.”

Detail disaster specifics: As part of a security policy and subsequent training, be sure to articulate what might happen if disaster strikes. What if there’s a breach that takes down the whole system? What if an associate’s laptop is lost or stolen? Go through real-life scenarios that help employees understand the process involved in getting the company back to health.

Create enforcement consequences, and follow through on them: Security policies are useless if no one follows them. Spend time thinking about policy compliance and what penalties for non-compliance might be. This will likely involve working with HR to set sanctions for carelessness and malice.

Few people enjoy reading security policies, much less writing them, but making the effort to create a comprehensive, meaningful policy for your firm could provide a major boost in data protection.