How to: Guard corporate secrets in a Web 2.0 world
There's no surefire way to completely eliminate the risk of information leakage in a blogging environment. Due diligence requires an approach that involves defense, detection and deterrence:
-- Re-evaluate whether you need to update your antivirus and malicious-code protection for Web traffic. Consider a combination approach recommended by Gartner Inc. that involves antivirus software, URL filtering, application controls, Web site reputation services and safe search technologies.
-- Establish a blog oversight committee -- a group of fellow-employee bloggers who are committed to promoting blogging within the company and making sure the company's interests are served.
-- Update acceptable-use, ethics, trade-secret and other employee policies to deal with blogs and community sites like MySpace and YouTube.
-- Consider whether to deploy content monitoring and filtering technology, and update your URL filtering tools.
How to: Protect your network and your data from mini devices
One of the biggest threats to network and data security today comes from mini devices. Ironic? Yes. Insurmountable? No. Start with these action items to deal with this threat:
-- Establish a corporate policy that specifies who can use which devices and under what circumstances.
-- Take a look at what you have. Account for corporate-owned devices, and determine whether workers are using personal devices at work. Evaluate whether your antivirus software can adequately protect your network from malware coming from those devices.
-- Back up policy with technology. Allow only corporate-owned devices onto your network. Consider using applications that block nonauthorized access to USB ports. Implement sound data-protection policies that include the encryption of sensitive data, so if a mini device is lost, the data isn't compromised. If needed, upgrade your software to block malware from mini devices.
How to: Manage your security risk from instant messaging
Most organizations aren't totally shutting out IM communication in the workplace. Experts offer this advice for weighing the risks and implementing security policies:
-- Before imposing an IM ban, examine business uses for the technology and weigh the trade-offs.
-- In the early stages of IM adoption, consider incorporating IM into the established rules for e-mail usage, and follow e-mail best practices.
-- Determine immediately whether industry regulation or internal policies mandate IM archiving, and plan accordingly.
-- Suspend immediately IM messages that run afoul of industry regulations, and notify compliance officers or attorneys.
How to: Get the word out to your staff about information security
All the technology in the world can't keep your information safe if your workers aren't clued in to company policies. Here are the top tips for effectively communicating information security to workers:
-- Know your audience and consider the most effective media for getting a particular message across to different crowds. Baby boomers prefer straightforward communication, such as well-written memos, while Gen Y workers prefer messages that are quick and to the point.
-- Interactive communication techniques, such as video games and comical multiple-choice quizzes, can be engaging while providing managers with a means of assessing their effectiveness.
-- Top-down edicts on corporate security policies don't resonate well with younger workers. Annual broadcasts aren't frequent enough and are quickly forgotten.
-- Try to make newsletters or e-mails colorful. For instance, a set of "Did You Know?" bullet points can be both entertaining and educational.
-- In face-to-face meetings with workers, explain not only what is being done (for example, desktop encryption) but why it's being done. Be sure to allow employees to ask questions and offer feedback. It not only helps them feel like their opinions matter, but managers can also draw from their ideas to improve policies and operations.
-- If you offer workers information security recommendations or warnings that can be applied outside the workplace -- on the technical risks of sharing iPod songs on a peer-to-peer level, for example -- employees are more likely to pay attention to policies that apply at work.
-- Having a communications specialist or business executive discuss the importance of information security can convince employees that the topic is a business issue -- and not something they normally equate solely with IT.