A security consultant was conducting an audit in a local company one day. It was discovered that employees used to exchange numerous dirty images and they were clogging up the server’s hard disk. The company’s ICT policy forbade the exchange of unofficial e-mails that contain attachments.
It stated that this offence was dismissible. The Chief Information Officer (CIO) was informed and with the consultant they agreed to circulate an e-mail alerting everyone that personal e-mail boxes would be checked for unofficial e-mails/attachments. The advance warning was meant to see an immediate deletion of these emails. The response was typical. Employees immediately deleted the illegal material and a 50% increase in available disk space was obtained.
The security audit, nevertheless, continued and only one employee was caught with dirty e-mail attachments in his inbox – it was the CIO. At his dismissal hearing he was asked why he didn’t delete the images like all his colleagues. His response was that he did not imagine that his e-mails would be checked. This was a strange, but not unusual response.
A similar response was witnessed from a busy CEO of a medium-sized company. His job entailed constant travelling to branches in the country. Due to this he found it convenient to share his access credentials to the company’s systems with his Secretary, despite it being a dismissible offence. This fact was discovered during a security audit and he was promptly fired. His defense was similar to the CIO’s: he never thought the ICT policy applied to him.
These two cases illustrate that computer security is also a function of the Human Resource (HR) department of any organization. Controlling the technology absolutely is possible. Managing the employees absolutely is, on the other hand, not possible. Managing people is done by implementing procedures, standards and policies. Ensuring employees adhere to these structures is extremely difficult and this is where HR comes in.
People management has to be done in tandem with computer security. Its criticality cannot be overemphasized. HR has to be fully involved in the implementation of a firm’s ICT security policy. This is because information security has become so critical it has become a corporate and not an ICT departmental responsibility. The roles of HR are indispensable to ICT security in that it is HR that conducts the initial background checks, implements the umbrella employment policies and staff review processes. It is also HR that drives the termination process.
In a nutshell information security is usually a soft people problem rather than a technological one especially when you consider the impact of insider threats. People are the soft underbelly of any ICT infrastructure and the role of a HR department is to ensure that processes are in place to effectively manage them.