It seems like my to-do list never gets shorter each day; only longer. This was even more true when I was responsible for the information security and privacy program within a large multi-national financial and insurance organization. It seemed the squeakiest wheel to-do items often got done, while other to-do’s that were very important, and often not that time-consuming, got put by the way-side, always put off until another week.
However, often those little things can make a huge difference for the success of your information security and privacy programs and initiatives.
I got into the habit, at the end of each week, of identifying five things to do in the next week to improve my information security and privacy program.
Over the course of time I accumulated literally hundreds of these little, but very powerful, to-do actions.
Here are 5 things that you can do next week to improve information security and privacy within your organization:
1) Define “personally identifiable information,” or PII, for your organization. You cannot expect to successfully protect PII if you do not know what PII you have within your organization. Few organizations have actually defined what types of information are considered as PII. You cannot expect your personnel to protect PII if you have not told them what PII your company handles. Take time to list the PII your organization collects, processes, handles, and in any other way has access to. Use the varied definitions from the data protection and privacy laws that are applicable to your organization to create your consolidated definition of PII. I’ve identified 50 unique information items that qualify as PII as documented within close to 100 data protection and privacy laws worldwide, so there are many that you need to know about, and ensure your employees know about.
2) Call your CEO, CFO and/or other CxOs. Tell them what you’re doing to protect the business and your customers. Tell them what you are doing to protect *THEM*. Tell them to be aware of a current scam targeting business executives that have “C’s” in their title. It appears criminals are using professional networking sites, such as LinkedIn, in addition to social networking sites, such as MySpace and Facebook, to find the CxO’s they are targeting for their cybercrime. Point them to the Wall Street Journal article that was published today about this scam, “Web Scammer Targets Senior U.S. Executives.” I just posted to my blog yesterday about these types of threats; send them to “More Organizations Are Blocking Social Networking Sites To Address Information Security and Privacy Concerns” to also learn more. Send them (and the rest of your employees) my article from “Protecting Information” about this, “Protecting the Business and Yourself at Social Networking Sites.”
3) Post a reminder message about how to properly dispose of information on your information security and/or privacy intranet site. Remind personnel that documents containing PII and other sensitive information should not be tossed into the regular trash cans and bins. Remind your folks where your secured shredding bins are at, and/or the cross-shredding machine locations. Remind employees that no-longer-needed printed paper with PII should not be taken and given to their churches, schools, or other organizations to be used for scrap paper! A large number of privacy breaches have occurred because employees threw away PII and other malicious people dug the information out of the trash and used it for crime. I’ve blogged about this several times. You can see a few examples to pass on to your personnel here and here.
4) Start monitoring hits to your information security and/or privacy intranet site. I used to do this when I was a practitioner, and the metrics were very valuable! One of the ways that you can measure the impact of your awareness communications and training is by the increase in traffic to your intranet site. Regularly log the site traffic numbers to see what topics resonated with your personnel, and which did not, to determine if you had the intended impact. The visits to your site(s) should increase following such actions as training events, awareness communications, awareness speakers and presentations, and so on.
5) Tell someone “Thank you!” It is human nature to complain or point out to others within organizations what they are doing wrong, or tell them how they can improve. This type of “constructive” criticism, along with downright mean criticism, is too commonplace within most organizations. Along with giving constructive criticism, it is important to let people know that you appreciate their information security and privacy efforts. Has someone gone out of their way to support your security or privacy efforts? Call them up and say, “Thank you for helping us improve the security and privacy of our business!” Don’t limit yourself to saying thank you to your own team members (although this *IS* important to do) and the IT folks (also important). Think about people out there in the business areas and the other corporate areas. Did your security guards do something that helped to secure company information? Did your call center staff prevent someone from fraudulently gaining access a customer’s account? Did an employee challenge someone who was not wearing an identification badge? Think about all the possibilities. Give thanks! People will feel good to know that you appreciate their efforts, and they will not only continue to support security and privacy efforts, but I bet you will find that they will become your own internal security and privacy evangelists. You can use all the help you can get for personnel to support security and privacy initiatives!
If you can do these 5 things next week, you *WILL* improve your information security and privacy program. If you can only do one or two things, you will also have a positive impact.
Plan now to do it next week!
I’ll give you 5 more “to-do’s” in another week! 🙂
Tags: awareness and training, business networking, facebook, Information Security, IT compliance, LinkedIn, MySpace, personally identifiable information, PII, policies and procedures, privacy, privacy training, protecting information, risk management, security training, social networking