Following on from our recent blogs, looking at our research on how public sector organisations are dealing with security as well as looking at how social media use could open the door to security breaches and brand damage, we wanted to share with you some thoughts on how to put together a robust IT security plan. And we have managed to condense it down into three easy steps.
Step 1: Evaluate who and why you are communicating with and by what means
It will be a good first step to understand who your teams are talking to – suppliers, partners, the public – and why. And then work out how they are communicating with them. If you are adopting a ‘Bring Your Own Device’ policy, appropriate use of these devices must be allowed for an organisation’s IT security and polices should be set to cover all eventualities. There must be a plan for what happens to the data on these devices when the employee leaves the organisation. 50% of public sector organisations are concerned that social media channels could pose significant risks to their IT security.
Step 2: How far reaching is your security policy?
Has it been updated to include all social media platforms, employees’ own devices and third parties? What happens if an email is sent in error or a disgruntled employee tweets from the corporate account? What procedures are in place to deal with this? And are you password secure – how often do you change the ones for corporate social accounts or for the website?
How visible is your security policy to your employees – how often are they updated on it – we would recommend that this is done at least twice a year. Consider how quickly things change in the technology world, an untrained employee is a security risk for the whole organisation. What is acceptable to an individual may not be acceptable to the organization, understanding that there is a difference between the two, especially when it comes to social media, is extremely important.
Step 3: What are the consequences of getting it wrong?
From our research we know that if things go wrong on the IT security front then the consequences are far reaching – a third of organisations cited reputational damage to the organisation, followed by 20% worried about the financial consequences and 18% wary of policy or compliance repercussions.
There needs to be a plan – how would you deal with an inappropriate email, or miscalculated tweet? If there are policies and a plan then hopefully you will never need to enforce them, on the other hand if there is a problem, then you are ready. Forewarned is forearmed.