The Best Practices for Security Policies and Procedures

Once you enter the workspace, is access to computers controlled via password protection? A single unsecured computer can provide unlimited access to your network. This coupled with social engineering, a little research, and a determined bad actor can cause significant economic harm to your company. Required passwords should be robust in design, changed frequently (quarterly) and should be tied to limited network and software access by job classification and role.

Once on the company network, can employees access any internet website? Are social media sites that could expose the network to risk, blocked? Is access to private email accounts allowed? Can employees send work related files to their personal email accounts undetected? Does the IT Department intentionally send test emails to employees to determine if they will click on suspicious emails, click on a link or image, or try to get them to take an action that would potentially compromise their equipment, or the network? These “white hat” phishing attacks are an excellent way to teach employees how to be actively looking for suspicious content or email traffic.

What about use of company issued equipment in public areas? Are employees trained to never use public, coffee house or hotel Wi-Fi networks? Any of these can be easily monitored by a hacker. Once your company equipment is on that open-source network, the hacker can monitor every keystroke, every website you visit, and possibly intercept files being sent.

Using a company issued “hot spot” device and VPN is preferable. Using a company issued laptop while traveling is normal. Using it while on a plane or train might expose your sensitive or confidential information to nearby prying eyes; a simple filter, applied to the screen, can make it nearly impossible for someone to read your screen without being directly in front of it.

Traveling out of country? In some cases, the only “safe” way to do so is with a “clean laptop” that contains only the data you need, encrypted, and provides no access back to the company network should the device be compromised.

In some cases, depending on the country, your laptop will almost certainly be compromised. These devices, used for travel, should be destroyed upon return, or returned to the IT department for appropriate handling. When traveling, never use a thumb drive provided by anyone, for any reason. This remains the simplest means to compromise your equipment.

How and when are employees trained on these policies? At their initial point of hire? Any refresher training? Are all policies easily accessible on a company intranet site for reference?

Does the IT Department send out regular training bulletins, maybe accompanied by a brief test that demonstrates each employee has completed the required refresher training? Is there follow up if they do not?.

What type of “signs” would be considered concerning? Overt acts of violence against coworkers; verbal threats of physical harm; talk of hurting oneself or others; talk of damaging the company; talk of serious family or financial issues and thoughts of suicide; a fixation on firearms discussed outside of expected circumstances (for example, if it’s hunting season and “Bob” tells his coworkers he purchased a new rifle, that may be less concerning than if “Bob” mentions several times this week that he purchased two handguns and a thousand rounds of ammunition, or that he has been spending all his free time at the firing range).

These are all concerning. And if an employee is on an “escalation continuum” towards a violent outburst, there exists the potential to assist them in achieving the required tension reduction to prevent that outburst. But, as you certainly know, a responsible party must be aware of the signs and be in the position to intervene sooner rather than later.

A well-designed employee education program should have these key elements:

1. Initial training

2. A central repository for finding Policies and Procedures

3. An in-service training, and testing, to demonstrate that the training was completed and was effective

4. Intentional probing to help educate and test existing employees

5. Frequent educational reminders in the form of bi-weekly or monthly bulletins on relative topics to keep the company Policies and Procedures top of mind, at all times.

With a well-designed safety education program, and better trained employees, you will be able to reduce the risks to your people and company, and possibly even save a life.

* * *

Joseph Murphy is the Senior Vice President, Commercial Sales/GenSec at Prosegur USA.

With nearly forty years of security services management experience Joe is a recognized professional in Atlanta’s physical security marketplace. Featured in a BOMA Insight magazine article titled “The Leaders Among Us,” Joe is actively involved in Atlanta’s security landscape and has published numerous articles in industry publications.

Joe has consulted with many Fortune 500 companies operating across the US and has serviced several thousand properties during his career. He has worked for such notable firms as Borg Warner Protective Services establishing the Olympic Operations Center for the 1996 Olympic Games in Atlanta. Today he leads Prosegur’s commercial services division in the U.S., serving as a Senior Vice President.

Joe is a long-term member of ASIS International, past president of the FBI’s InfraGard Program (8+ years), and was a founding board member of the Southeast Emergency Response Network (SEERN). He graduated from Fairleigh Dickinson University with a degree in Marine Biology, and is the father of two beautiful daughters adopted from China.