bCentral Home
Your Online Business Center

Get Your Employees to Take Security Seriously

Four ways to keep IT security more visible in your workplace

To protect vital information stored on your computers, you may want to focus on your employees first — especially those who write down their passwords where others can see them, or open e-mail attachments without thinking about it, or download or install software from unauthorised sources.

The Computing Technology Industry Association (CompTIA), a global IT industry group, recently published a report on IT security in the workforce. It found that some degree of human error was the cause of almost half of all security breaches. The analysis attributed the errors to a lack of IT security knowledge, a lack of training or a failure to follow security procedures.

How do you get your workers to take information security more seriously? It takes an ongoing effort. If you send out a notice to change passwords only once a year, you will never develop a workplace consciousness that can effectively reduce the threat of a security breach.

To help you enlist greater cooperation from your workforce, here are four ways to help make security a company-wide priority.

1. Make security part of your conversations
Issuing security-related memos or posting your security policy are good steps. But it's also good to talk about security openly with your employees. For instance, at the end of a meeting, check with everyone to confirm they're using the Microsoft Update services to install the Windows and Office updates required to prevent software attacks. It demonstrates that computer security is important to you.

Also talk to new employees about computer security before they even sit down at a PC. Have this discussion before you issue the new worker a password to log on to their computer.

2. Create an acceptable use policy
An "acceptable use policy" is a document that lets your employees know what they can and cannot do on company computer equipment. Put down in writing what you expect. This can cover your policy on creating passwords, frequency of password changes and opening e-mail attachments from unknown senders. It might also include prohibitions against installing unauthorised software on their computers. This document should state the penalty for violating the policy — which could be termination — and it should be signed by each employee. As the business owner or manager, you should sign a copy of the policy, too.

If your policy is long and detailed, help your employees remember the main points by creating a one-page summary you can distribute and that they can post near their workstations. You can customise this sample handout for your business.

3. Discuss how to handle sensitive information
In addition to having an Acceptable Use Policy, consider creating a handout on how sensitive information is handled. This policy should cover what type of e-mail or documents employees are allowed to forward to others outside the company, how to handle copyrighted material, and how and what type of customer information can be shared. This policy might also contain warnings to employees against trying to access files they don't have permission to view or edit and what types of e-mails employees should save or delete. Again, circulate the policy among your employees and have them read and sign a copy.

4. Identify the security expert for your business
Appoint someone in your business as your "security expert" and make it known to everyone that the person is available to respond to — or find answers to — security questions. If your business has IT personnel, your security expert will likely come from the ranks of this group. However, if you or a tech-savvy employee manages your computer systems, then either of you might be the expert. If possible, have your security expert periodically conduct security reviews with other employees at their workstations.

Creating a security-minded workplace requires a team effort that starts with continual attention on the part of the folks who run the business. Information security won't happen unless owners and managers make it happen.

Product Links

Windows XP Professional

Windows Small Business Server 2003

Office Small Business Edition 2003


Product Advisor

Solution Advisor

Genuine Software Quiz

Sign into Microsoft Small Business+ for free web-based training, online chat help and software support.

sign in
Security information

Find a local Microsoft Small Business Specialist to help with your IT needs

Microsoft Small Business SpecialistMore info >

What do 'flexible working' practices mean to you?

What do 'flexible working' practices mean to you?

Free business newsletters - subscribe now

Our free newsletters are packed full of business advice and ideas - plus all the latest news

Security information

Get the latest bulletins and updates direct from Microsoft

Quick Tips

To ensure compliance on security basics, don't overwhelm employees with unnecessary technical information that might create confusion. For instance, your workers probably don't need a detailed explanation of how a firewall works. Or, if you need to encrypt sensitive company data when e-mailing it, limit your training about when and how to use encryption to those who will do it as part of their job.