One of your employees rushes to the airport after your industry’s most important trade show. Halfway there, the worker realizes a company laptop computer was left behind in the hotel lobby, which is swarming with competitors. And that little machine is crammed with sensitive data: new product secrets, pricing information, strategic plans. Or, in a more ominous scenario, you arrive at work one morning to find a disgruntled worker has sabotaged your computer system-destroying files, accessing restricted information or altering passwords to prevent you from retrieving critical data.
These are just some of the ways lax security in your computer operations could spell disaster for your company. Although computer security is a complex topic, a few simple steps-from installing the newest security software to implementing clear policies-can go a long way toward protecting your business in this electronic age. Here’s an overview of some of the most important measures you should consider.
400+ pages of state-specific, easy-read reference materials at your fingertips—fully updated! Check out the Guide to Employment Law for California Employers and get up to speed on everything you need to know.
- Invest in new encryption products. Even if an employee bent on sabotage or an outsider does manage to access sensitive computer files, you can limit the damage with encryption software products that scramble your data so the wrong person can’t read it. Popular products include RSA Secure from RSA Data Security, Inc. (415-595-8782), Norton Your Eyes Only from Symantec Corp. (800-441-7234), PC/DACS from Mergent International (800-688-1199) and Pretty Good Privacy (PGP) from ViaCrypt (800-536-2664). But it’s critical to research the software before you buy because encryption programs can be awkward to use, and may not work on every type of data or with all applications.
- Create effective passwords. A flimsy password can be the weak link in your computer security system, so make sure you know how to create passwords that co-workers or intruders won’t guess. Avoid such obvious choices as an employee’s name, address or birthday, and be sure passwords are changed frequently-about once a month. Ideally, passwords should include a combination of letters, numbers or symbols. Also, make sure you always have the ability to gain access to a worker’s files with a master password. Some software programs, like RSA Secure, offer added protection by requiring several designated people to jointly use the master password.
- Avoid e-mail traps. E-mail is fast and convenient, but it’s not always secure. Unless you’ve taken steps to protect yourself, even well-intentioned employees can let sensitive data, including company trade secrets, fall into the wrong hands. Warn workers not to treat e-mail communications as private, and consider using encryption software when sending e-mail. (For more on protecting e-mail, see CEA March 1996.)
- Audit computer use. Consider upgrading to an operating system, like Windows NT, that can track specific files and data your employees are accessing. Computer auditing can alert you to suspicious activity before it gets out of hand. And if there is a security breach, auditing can help you identify who is responsible.
Send a Strong Message
Investing in a computer security system is a good start, but software alone can’t prevent employee sabotage or data falling into the wrong hands. You also need to educate employees about the importance of computer security, warn them about the consequences of computer misconduct, and train workers to protect your vital data.
- Stress your company policy. Your employee handbook should clearly state that computer files are company property. Remind workers that, under your policies, they may not tamper with, copy, remove from your premises or destroy files. Nor may they add their own software to your system. In addition, warn employees that misuse of the computer system will result in discipline and possible termination. Consider getting signed acknowledgments that workers have read and understood your computer policies.
- Provide training. Make sure employees know how to use your security software, and encourage reporting of any unusual computer incidents. Train workers to protect information with measures like encrypting files when it’s warranted. Emphasize that employees should not give their password to a co-worker and must never provide computer access to anyone outside the company.
- Warn about criminal penalties. In both your employee handbook and training sessions, spell out that computer sabotage can have serious criminal consequences. Most em- ployees don’t realize they can be prosecuted under the California Penal Code for crimes such as altering or damaging system hardware or data, infecting a system with a virus, unauthorized data copying or unauthorized access to the system. Penalties include up to three years in prison and a $10,000 fine.
Cross-Train Computer Workers
Also take time to look at how your computer operations are structured. If only one person knows how your entire system works, you could suddenly find yourself in a bind if that person leaves. Reduce this risk by making sure all procedures are properly documented, cross-training workers and establishing back-ups for each position.
Finally, a disgruntled worker who has been fired can quickly sabotage a computer system that isn’t adequately protected. Whenever someone’s employment terminates, you should immediately block that person’s access to the system, change the worker’s password and closely review their recent computer activity.