The Agency Insider with Linda McGlasson

How Many Strikes Before a Risky Employee is Out?

How Many Strikes Before a Risky Employee is Out?

A recent headline caught my eye from our sister site, HealthcareInfoSecurity.com: "5 To Be Fired For Social Media Use." This story detailed an ongoing investigation at a California hospital into the use of social media by employees posting personal discussions about hospital patients.

The five employees were to be terminated for their actions. Strong, swift action by the hospital sends a stiff message to others working there: Follow the policies, or lose your job. This is a tough position taken by the hospital, but -- in my opinion -- the only option. There is no grey area when it comes to the right side and wrong side of security and privacy.

My question to the financial services industry is: Do we have grit to take action against bad behavior by our employees? Those folks in human resources and information security positions know what I'm talking about. Think about it; you know of at least one "bad" behavior incident at your institution. What happened when the incident was discovered? Did your institution back up its policies with action? Does your institution monitor what employees are doing online? Acceptable use policies are at the top of the list to start promoting to employees. The bottom line is: Would your organization take decisive disciplinary action to stop bad behavior?

The real hard fact is that it's not easy to monitor and police what your employees are doing, but it has to be done. A survey conducted recently by the American Management Association and the ePolicy Institute shows the percentage of companies that terminated employees when they violated stated policies, including:

  • The Internet -- 26%
  • E-mail -- 26%
  • Cell phones -- 6%
  • Instant messaging -- 4%
  • Text messaging -- 3%
  • Social networking -- 2%
  • Video sharing -- 1%
  • Personal blogs -- 1%
  • Corporate blogs -- 1%

The highest numbers on that list is only 26 percent. This means another 74 percent of employees at those companies did something bad and didn't get fired. I sure wouldn't want to be working in the information security department at those companies. Their jobs are harder because their companies aren't backing up the security policies in place to prevent bad behavior.

One example of the kind of things that make an information security department's job harder: Increasingly, hackers are putting nasty malware, spyware and keyloggers on the kind of sites on the list of "not to be looked at during work." A paper presented at Harvard's Workshop on the Economics of Information Security earlier this month revealed the hidden dangers that exist on these sites. One of the paper's authors, Dr. Gilbert Wondracek, says the research analyzed 260,000 websites hosted on 35,000 domains to see which hosted malicious software. Wondracek says the research showed about 3.23 percent were "booby-trapped" with adware, spyware and viruses.

So what amount of grit does your institution have when it comes to backing up its security policies? Would your senior management make a decision to get tough on bad behavior in order to protect customer data and systems of the institution, or would it wimp out and look the other way?

Think about your answer. It's not just jobs at stake here; it's the integrity and security of entire organizations.



About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.