How to enforce a USB security policy with support from management

How to enforce a USB security policy with support from management

We recently had an incident where an employee was caught downloading sensitive data onto a personal USB stick, which he knew was a violation of policy. I suggested we fire him, but management decided to give him another chance. How can I explain to them that this could have dire future security consequences?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Unfortunately, this is one of the many challenges faced by security professionals and leaders in many organizations. This particular problem tends to surface quite often: The employee violating the USB security policy is also a highly valued member of the organization, due to his or her expertise or experience, and would be difficult to readily replace.

One approach you may want to try –- something I've done in the past when trying to get support from management –- is to speak to your immediate manager (CIO, CFO or security director) and let him or her know of your concern about the short- and long-term implications. In this discussion, try to avoid being too emotional; using of the word "dire" may be too extreme, but you need to make a point that the decision may not be in the best interest of the company, as other employees could see this as an implication that certain rules won't be enforced.

Secondly, I would suggest that management consider putting a letter in the employee's human resources file stating that he/she was caught violating corporate policy (date, time, witnesses, etc.), and he/she received a warning of some sort, preferably documented.

Thirdly, such an incident may serve as an opportunity to launch an internal awareness campaign (e.g., broadcast email, posters, etc.) reminding all employees that data protection is important to everyone -- employees, customers, vendors and the corporation overall -- with the intent of preventing this from happening again.

In your campaign, however, I'd suggest not citing any rules about "punishment up to and including termination," or, due to the recent event, the message could be seen as not credible by many of the more skeptical employees.

Lastly, I have maintained a "Cover Your Alternatives" (CYA) file, in which I would put a summary document of the event, my conversation with my supervisor, actions taken to prevent the recurrence, etc. Then, should there be future analysis or reviews, the CYA file has a history of actions and data that may be useful to demonstrate effective management of the event.

This was first published in April 2010

Back to top