Management's Pitfalls in Cyberspace: A Primer
Williams, Michael A., Bequai, Christine A., SAM Advanced Management Journal
Security of information technology (IT) is a multi-billion dollar annual industry. While there are now many technologies in the IT security arsenal, frequently lacking is management's will to implement these technologies. In some instances, the problem is a lack of understanding and appreciation for their role. In fact, until the last several years, IT security was rarely discussed in the classrooms of our business schools. Failure to cover the issue in the business school curriculum is a luxury we can no longer afford.
The Need for Cyber-Security
The Ancient Greeks spent 10 years at the gates of Troy, to no avail. Even mighty Achilles failed to breach its defenses. Yet, the wise Ulysses, armed only with his intellect, and knowing the arrogance and security failings of Troy's rulers, brought that city to its knees. Today, no less than in antiquity, no organization, large or small, is safe from the threat of the insider. The dishonest or disgruntled employee or contractor may use the organization's IT security failings to undermine its viability even survival.
Management, however, is not without recourse. Here is a sampling of some IT security basics than can be implemented.
A. Written workplace policies and procedures. Because the current IT workplace is the habitat of diverse classes of employees--at-will employees, contractors, temporaries, licensees, part-time workers, and much more--written IT security policies and procedures are a necessity to ensure that the workforce conducts itself in a lawful and productive manner. History has taught us that simple security policies and procedures, when enforced, can go a long way toward safeguarding an organization from woe.
These workplace policies and procedures need not equate to the works of Aristotle. They need to be clear, concise, and disseminated to the workforce, with instructions requiring employees and contractors to sign an acknowledgement that they have received a copy and will read it. The employer has several options for notifying employees about the written IT security policies and procedures, including but not limited to the following: the employee handbook; a document dealing only with security issues and rules (this will be especially necessary when dealing with independent contractors); and language in contracts with other organizations accessing its IT system.
Regular oral and written reminders should be given to reinforce the importance of IT security and the need for the workforce to abide by the workplace policies and procedures. They should be enforced with sanctions whenever the need arises. They should make it clear that abuses on company time, equipment, or a client's worksite could constitute grounds for termination and related legal action. While criminologists debate the efficacy of incarceration, students of the workplace have long concluded that workplace rules and regulations, enforced when necessary by sanctions, are effective. Cyberspace is no exception.
B. Ensuring compliance. Unfortunately, a substantial number of private and public organizations have a limited grasp of the growing legal maze that has come to govern every facet of their daily operations. The courts have made it clear that ignorance of the law is no defense.
A company's workforce can increasingly expose it to both civil and criminal sanctions, not to mention the ridicule of the mass media. Employee-related abuses, whether by design or ignorance, can run afoul of the law, thereby exposing the company and its management to potential legal liabilities. Financial institutions, within and outside the U.S., have painfully learned that their workforce can involve them in serious and costly legal entanglements. The Arthur Anderson story is but one of many sad cases.
Here are a few of the legal concerns management needs to beware of in the cyberspace environment: