The Best Practices for Security Policies and Procedures
Every company has Policies and Procedures, but do employees ever see them? Read them? Know them? Let’s go through a quick checklist of what a good set of security policies and procedures should include, and how best to communicate it to your employees.
Controlling authorized access to your facilities is more important than ever for several reasons. Offices may have fewer people working, so there are fewer employees to help identify unauthorized personnel should they gain access to a facility. And people returning to an office environment are, in many cases, nearly strangers having been out of the office for the past two years.
Some of these individuals have encountered the most stressful times of their lives with personal illness, the loss of family and friends, financial hardships, family conflict, etc. The risk for potential workplace violence is higher than ever, with 2022 already the highest year on record for mass shootings.
Employees are issued a badge when they join the company, but are controls around badge use maintained effectively? Does every badge have access at all hours, every day? Does the employee that the badge is assigned to really need that level of access? Can it be limited to business hours, or specific days of the week?
What happens if the employee loses their badge? Is there a way to deactivate that badge the same day? Is there a written policy that prohibits sharing a badge, or badging-in more than one person at a time? How is the badge access program managed and monitored?
Once you enter the workspace, is access to computers controlled via password protection? A single unsecured computer can provide unlimited access to your network. This coupled with social engineering, a little research, and a determined bad actor can cause significant economic harm to your company. Required passwords should be robust in design, changed frequently (quarterly) and should be tied to limited network and software access by job classification and role.
Once on the company network, can employees access any internet website? Are social media sites that could expose the network to risk, blocked? Is access to private email accounts allowed? Can employees send work related files to their personal email accounts undetected? Does the IT Department intentionally send test emails to employees to determine if they will click on suspicious emails, click on a link or image, or try to get them to take an action that would potentially compromise their equipment, or the network? These “white hat” phishing attacks are an excellent way to teach employees how to be actively looking for suspicious content or email traffic.
What about use of company issued equipment in public areas? Are employees trained to never use public, coffee house or hotel Wi-Fi networks? Any of these can be easily monitored by a hacker. Once your company equipment is on that open-source network, the hacker can monitor every keystroke, every website you visit, and possibly intercept files being sent.
Using a company issued “hot spot” device and VPN is preferable. Using a company issued laptop while traveling is normal. Using it while on a plane or train might expose your sensitive or confidential information to nearby prying eyes; a simple filter, applied to the screen, can make it nearly impossible for someone to read your screen without being directly in front of it.
Traveling out of country? In some cases, the only “safe” way to do so is with a “clean laptop” that contains only the data you need, encrypted, and provides no access back to the company network should the device be compromised.
In some cases, depending on the country, your laptop will almost certainly be compromised. These devices, used for travel, should be destroyed upon return, or returned to the IT department for appropriate handling. When traveling, never use a thumb drive provided by anyone, for any reason. This remains the simplest means to compromise your equipment.
How and when are employees trained on these policies? At their initial point of hire? Any refresher training? Are all policies easily accessible on a company intranet site for reference?
Does the IT Department send out regular training bulletins, maybe accompanied by a brief test that demonstrates each employee has completed the required refresher training? Is there follow up if they do not?
Violence and Harassment Policies
Beside badges, passwords, websites, email and access control, what other policies and procedures are deemed most critical? A Zero Tolerance Policy for workplace violence, aggressive behavior or harassment must exist, and employees must be trained on it without fail. They also must be reminded frequently of the proper method to report any concerns.
If five employees all know that one employee has been “acting out” or exhibiting concerning behaviors, and they tell five coworkers, that does nothing to support the legal duty of care that the employer has, to provide a safe work environment. It also does nothing to support the employee who is experiencing distress, which is manifesting at work.
Employees must be trained to report to a central location, typically Human Resources or an Employee Hotline, so that one person, or a designated group of people (generally HR and Legal) are aware that an employee is perhaps “in distress.”
If those same five employees all reported to one Human Resources manager, or a hotline, that “Bob” was exhibiting concerning behavior while at work, then the organization would be in a better position to get “Bob” the help he needs while also ensuring that the work environment and employees are being adequately protected.
Recognizing the Signs of Trouble
What type of “signs” would be considered concerning? Overt acts of violence against coworkers; verbal threats of physical harm; talk of hurting oneself or others; talk of damaging the company; talk of serious family or financial issues and thoughts of suicide; a fixation on firearms discussed outside of expected circumstances (for example, if it’s hunting season and “Bob” tells his coworkers he purchased a new rifle, that may be less concerning than if “Bob” mentions several times this week that he purchased two handguns and a thousand rounds of ammunition, or that he has been spending all his free time at the firing range).
These are all concerning. And if an employee is on an “escalation continuum” towards a violent outburst, there exists the potential to assist them in achieving the required tension reduction to prevent that outburst. But, as you certainly know, a responsible party must be aware of the signs and be in the position to intervene sooner rather than later.
A well-designed employee education program should have these key elements:
1. Initial training
2. A central repository for finding Policies and Procedures
3. An in-service training, and testing, to demonstrate that the training was completed and was effective
4. Intentional probing to help educate and test existing employees
5. Frequent educational reminders in the form of bi-weekly or monthly bulletins on relative topics to keep the company Policies and Procedures top of mind, at all times.
With a well-designed safety education program, and better trained employees, you will be able to reduce the risks to your people and company, and possibly even save a life.
* * *
Joseph Murphy is the Senior Vice President, Commercial Sales/GenSec at Prosegur USA.
With nearly forty years of security services management experience Joe is a recognized professional in Atlanta’s physical security marketplace. Featured in a BOMA Insight magazine article titled “The Leaders Among Us,” Joe is actively involved in Atlanta’s security landscape and has published numerous articles in industry publications.
Joe has consulted with many Fortune 500 companies operating across the US and has serviced several thousand properties during his career. He has worked for such notable firms as Borg Warner Protective Services establishing the Olympic Operations Center for the 1996 Olympic Games in Atlanta. Today he leads Prosegur’s commercial services division in the U.S., serving as a Senior Vice President.
Joe is a long-term member of ASIS International, past president of the FBI’s InfraGard Program (8+ years), and was a founding board member of the Southeast Emergency Response Network (SEERN). He graduated from Fairleigh Dickinson University with a degree in Marine Biology, and is the father of two beautiful daughters adopted from China.