IN THIS ISSUE

"It's critical that you have some form of IT usage policy in place," explains Andrew O'Kelly, technical director for LAN Communications. "It's very important that you try to inform your staff about their responsibilities, outlining the 'dos' and 'don'ts'. They may be blissfully unaware about how what they do can impact the company's IT security. It's no good coming back and blaming them later if you haven't educated them in the first place."

There are a number of ways of tackling the problem, but if you need a solid template covering many of the basics, then download the 'Internal IT Security Policy and Procedures' guide on the Enterprise Ireland website.

In the meantime, the experts' advice below offers an overview about the best ways to tackle some of the leading IT security policy issues.

1. Explain to your employees what you are planning to do. The more 'buy-in' you have, the easier implementing certain security measures will be. "You have to educate the users on these issues and include them in the decisions you are about to make," says Ken O'Driscoll, technical manager at IE Internet. "To implement a coherent IT security policy requires the cooperation of the users. If you are a small business trying to impose a draconian policy on users they will find ways to circumvent it."
2. Tie any IT policy in with existing employee conduct policies. "Try and match it in with the existing HR function," comments O'Kelly. "What is key is that you don't end up with a policy that is unenforceable. If it has no teeth it will not work." O'Driscoll adds: "An IT security policy is not an island. It has to sit alongside other procedures."
3. Keep it simple. Complex security measures reduce productivity and are often ignored by employees. O'Kelly says that over-the-top security measures will put everyone off. "In the end you have two things pulling in opposite directions: usability versus security. If you introduce a system with lots of layers of password security and Internet restrictions you will find it very difficult to enforce and productivity will drop." O'Driscoll agrees: "Convoluted things confuse people. If they are confused, or do not see the value of something, they will not adhere to it. I remember working in a bank where they had decided, for security reasons, to disconnect everyone's email arbitrarily. They did it without telling people though. Pretty soon, employees brought in their own modems and hooked them up to their PCs, which created a huge security hole. By keeping [employees] in the dark, they reacted badly."
4. Security has to be a high profile topic. A combination of highly visible posters, regular briefings, email updates and reminders all help to keep employees focused on the security basics. "It's no good just putting the IT security policy in the new employee information pack," says O'Driscoll. "The people in IT need to actively make employees aware of security and its importance." O'Kelly adds: "Just make sure you don't use scare-mongering tactics, since it rarely works. Feel free to educate your employees about the IT environment and security but remember, you also shouldn't have to apologise for introducing security measures."
5. Usernames and passwords. You must strike a balance between what works and what becomes too cumbersome. "For a small company the first thing is to avoid using generic passwords," O'Driscoll explains. "The amount of times that I have found the main system password set to 'password' is shocking. Don't use plain English words, personal names -- from pets to loved ones -- or phone numbers. Try using a mix of letters and numbers or other symbols. Just make it easy for employees to remember and they won't write it down." According to O'Kelly: "A simple first step is making sure everyone has their own password. Some small companies have an open policy where the system password was set up years ago and has never changed. Try giving people a PIN number for instance, something simple. People will forget anything too complicated and will end up writing it down and sticking to their PCs."
6. You do need an acceptable usage policy for email. Like the phone, email is a necessary tool for most employees, and rules regarding its use need to be put in place. Email is now the main form of communication between businesses these days and while it may not look like it, it is the equivalent of sending correspondence on your official company stationery. This is all the more reason to ensure that what is being sent around the company, and externally, is acceptable. The number of cases of businesses being successfully sued by employees over inappropriate 'jokes' or images circulated via the company email system is on the rise.
7. Restrict Internet access. The only way to ensure that employees are not abusing the Net is to restrict access to certain kinds of sites. O'Kelly explains: "If an employee downloads material to their PC -- music, porn or videos -- it is the company's IP address that is recorded. That means it's the company that will get sued or taken to task for pirating copyrighted material or downloading illegal material. It's easy enough to restrict access to certain kinds of sites using site categorisation tools."
8. Don't forget laptops. Many small companies secure their internal PCs and servers but fail to extend that security to laptop computers, which are being increasingly used by some employees as their main system. O'Driscoll says: "You really have to be careful about how employees use laptops. Most laptops come in 'Steal Me' bags, so to speak. Since everyone knows what's in them, they are just begging to be nicked. The truth is, though, that a lot of laptop information is not secured on the laptops the same as PCs."
9. Don't be afraid to use tools to monitor what is happening on your systems, but there can be a backlash. "If someone is doing their job, monitoring is not the best solution," O'Driscoll believes. "People get very worried about being watched all of the time. If you are concerned about the Internet then limit its use or turn it off." If you do not want to monitor your employees, you can still inform them that, as the owner of the IT they use, you reserve the right to monitor the usage of it and the content. Doing this is often enough to deter abuse of email and Internet facilities.
10. Enforce your IT security policy. The rules have to be backed up and action taken if they are broken. This should be tied in with the HR function and existing disciplinary measures -- enforcement is not an IT manager's task. "It's very important to enforce your policy," O'Driscoll concludes. "Make sure it is tied in with the standard disciplinary procedures in your company. Look at it like this: an employee walking by a desk where they see an inappropriate image on a PC screen is no different from them finding something inappropriate on the photocopier. It's the same problem, just a different source. The reaction, therefore, should be the same."

For more information, see the Enterprise Ireland how-to guide on Internal IT Security Policy and Procedures