How Many Strikes Before a Risky Employee is Out?
The five employees were to be terminated for their actions. Strong, swift action by the hospital sends a stiff message to others working there: Follow the policies, or lose your job. This is a tough position taken by the hospital, but -- in my opinion -- the only option. There is no grey area when it comes to the right side and wrong side of security and privacy.
My question to the financial services industry is: Do we have grit to take action against bad behavior by our employees? Those folks in human resources and information security positions know what I'm talking about. Think about it; you know of at least one "bad" behavior incident at your institution. What happened when the incident was discovered? Did your institution back up its policies with action? Does your institution monitor what employees are doing online? Acceptable use policies are at the top of the list to start promoting to employees. The bottom line is: Would your organization take decisive disciplinary action to stop bad behavior?
Would your organization take decisive disciplinary action to stop bad behavior?
The real hard fact is that it's not easy to monitor and police what your employees are doing, but it has to be done. A survey conducted recently by the American Management Association and the ePolicy Institute shows the percentage of companies that terminated employees when they violated stated policies, including:
- The Internet -- 26%
- E-mail -- 26%
- Cell phones -- 6%
- Instant messaging -- 4%
- Text messaging -- 3%
- Social networking -- 2%
- Video sharing -- 1%
- Personal blogs -- 1%
- Corporate blogs -- 1%
The highest numbers on that list is only 26 percent. This means another 74 percent of employees at those companies did something bad and didn't get fired. I sure wouldn't want to be working in the information security department at those companies. Their jobs are harder because their companies aren't backing up the security policies in place to prevent bad behavior.
One example of the kind of things that make an information security department's job harder: Increasingly, hackers are putting nasty malware, spyware and keyloggers on the kind of sites on the list of "not to be looked at during work." A paper presented at Harvard's Workshop on the Economics of Information Security earlier this month revealed the hidden dangers that exist on these sites. One of the paper's authors, Dr. Gilbert Wondracek, says the research analyzed 260,000 websites hosted on 35,000 domains to see which hosted malicious software. Wondracek says the research showed about 3.23 percent were "booby-trapped" with adware, spyware and viruses.
So what amount of grit does your institution have when it comes to backing up its security policies? Would your senior management make a decision to get tough on bad behavior in order to protect customer data and systems of the institution, or would it wimp out and look the other way?
Think about your answer. It's not just jobs at stake here; it's the integrity and security of entire organizations.