Enforcing security policies with employees can be a massive challenge. Employees don’t always know your organization’s security policies or the reasons for them. When employees are ignorant of security rules, they may commit accidental violations without ill intent. Employees may also try to circumvent security policies to save time or for their own personal benefit.
Whatever the reason, employees may try to violate your organization’s security guidelines—exposing your organization to regulatory compliance violations, data breaches, and negative publicity. So, it’s important to have strong security policy enforcement to keep employees from circumventing the protections your business uses.
The question is: “How can you solve the challenge of enforcing security policies with employees so they won’t (or can’t) break the rules?”
Here are a few tips for enforcing security policies in an enterprise organization:
1) Work to Raise Awareness of Security Policies
An employee can hardly be expected to follow the enterprise’s security policies and procedures if the employee doesn’t know about them in the first place. So, enacting an employee awareness campaign and working the company’s security policies into the employee training process is imperative for enforcing security policies.
An internal awareness campaign using face-to-face meetings, mass employee emails, and general announcements at major meetings helps to ensure that current employees understand the company’s security policies. Meanwhile, adding security policy education to the employee onboarding process helps to ensure that all future applicants have at least a basic understanding of the company’s security policies and procedures.
Launching an awareness campaign helps with security policy enforcement by ensuring that employees are at least aware of the most important security policies the enterprise follows. It may also help to highlight the reasons for following specific security policies—such as how violations can lead to cybersecurity breaches and financial losses for the company.
2) Publicly Enforce Penalties for Security Policy Violations
Even when employees are aware of the rules surrounding acceptable use of IT assets and resources, they may still try to circumvent the company’s security policies for one reason or another. Unfortunately, when employees intentionally violate the enterprise’s security policies, it may be necessary to make an example of the offenders. Enforcing consequences for rules violations is a crucial part of effectively managing employees in any work environment.
In fact, in an article for TechTarget, Dr. John Halamka, CIO of Boston’s Beth Israel Deaconess Medical Center and Harvard Medical School, says that: “Public executions are necessary for enforcing company information security policies… You run into two kinds of folks: those who will accept the consequences and those who deny everything and must be presented with the preponderance of the evidence.” The “public executions” in this quote refer to the termination of staff in front of the whole organization—this way, everyone can see who was punished and know the exact cause of termination.
Using so-called “public executions” establishes an example of what happens when employees violate the “acceptable use” and security policies of the organization’s IT resources, which can help to curb future violations. At the very least, it removes someone who was actively snubbing the organization’s rules. This may be regrettable, but it is a necessary part of managing employees in an enterprise.
3) Enforcing Rules with a Security Configuration Tool
Although Halamka highly recommends publicly terminating employees who violate the rules, as he points out in the TechTarget article, “three or four doctors – ranging from green residents and interns to well-weathered practitioners – are fired for violating security and acceptable use policies” each year. Even with a well-known set of security policies/procedures and clearly-defined consequences that are demonstrated time and time again, there are still those who would violate the rules for the sake of convenience.
So, how can enterprises take their security policy enforcement to the next level to not just minimize violations, but to virtually eliminate them? This is where a security configuration tool such as Kandji for macOS devices can help.
Kandji makes enforcing security policies easy and consistent across every macOS device in an organization by:
- Creating Codeless Security Configurations. Kandji makes enabling or disabling security settings for macOS devices as easy as a simple mouse click. With more than 130 unique security settings to choose from, your enterprise’s security configurations can be as simple or as granular as you like.
- Remotely Monitoring the Security Status of Each Device. Kandji’s configuration tool features a single, centralized dashboard you can use to check the number of registered devices, current status for each device (with color-coded indicators), and total remediations over the past 30 days. This provides more visibility into your fleet of Apple devices so you can better manage your security policy enforcement.
- Enabling Role-Based Security Blueprints. In a large enterprise, not every employee has the same roles and responsibilities. Different departments may have separate security and compliance requirements. So, instead of making a “one-size-fits-all” security blueprint for the whole organization, Kandji makes it easy to create separate blueprints that take into account the unique needs of each department. As users and devices are added, they can be immediately assigned to the blueprint for their department.
- Offline Security Configuration Checks. Employees who are determined to undermine the security settings for their devices often come up with a simple solution for getting around an online security configuration tool—they just take their device offline and mess with the security settings. Kandji thwarts offline alteration attempts by using a local client with a copy of the security configuration database. Once every three minutes, the client on the computer checks the Mac’s security settings against the local database to verify that the right security settings are enabled. This prevents employees from trying to sidestep your security policy enforcement measures by simply taking their devices offline.