Managing Security at the Workplace - Essay Example

Managing Security at the Workplace Introduction Over the years, security has become a major concern in the global arena. Not only is it about the physical possessions of a person but also seen as a threat to one’s life. Since this issue is so widespread, therefore no sector of the society is alienated from it. From governments to schools, community centers to households, factories to recreation areas, all suffer from a threat to their security. In the given circumstances, it is the duty of everyone to ensure that the environment around them is safe and one does not pose any threat. Humans as residents of global communities, cities, and neighborhoods have grave responsibility of guaranteeing safety for own selves and those who co-habit our surroundings. This constant sense of foreboding has resulted in a form of paranoia, which has seeped well into the fabric of our society and has consequently, increased expectations towards what is perceived as unharmed. This report would majorly focus on the threats, dangers and risks to organizations because of new technology and the steps that managers can take to reduce them (Alberts & Dorofee, 2003, pp.45-90). Of all the facets of a community, security at workplace is most at risk. Reason being that when you put a group of people from diverse backgrounds together, and expect them to cooperate and work towards a common, defined goal; there are a number of internal and external hazards at hand. The key danger facing an organization’s wellbeing is mainly from technology; other perils may include negligent workers, unsatisfied employees, theft, documents being disposed improperly and such. Most of organizations today consider data loss and stealing of important information from the organization as the greatest risk; however, economic conditions, competition, and government regulations are not at top of the list. This is because today most of the companies heavily rely on new technologies for completion of many goals. Security managers today are trying to direct all the departments of the company to enhance their security measures and achieve organizational goals. Today, apart from natural calamities and criminal actions, technology dangers are very common. Organizations cannot operate staying aloof from other organizations and people, as they have great connections with global and multinational corporations for completion of their projects. Discussion Businesses do not have any other choice than this because if they do not communicate with outer world they cannot even survive for one day. Moreover, many organizations have international businesses, they export and import products and raw materials. For making these transactions, companies need to arrange meetings; sometimes these meetings are online because of time constraints. Some organizations, at times do not even schedule meetings but they do all the work through emails and phone calls. For even smaller tasks, organizations greatly depend on technology especially internet (Amit & Wernerfelt, 1990, pp.520-533). They have to have technical networks at their workplace if they want to thrive. This does not only imply for the organizations that work internationally but also for the ones that work domestically. Technology has brought along many risks and dangers, which if not catered properly would prove to be demolishing for the organizations. Companies need to have proper security management systems if they do not want to suffer. Only implementation of security management is not necessary; however, managers must make sure that the system is capable enough to reduce the dangers. Organizations should not wait for the occurrence of any unpredictable event to arrange the security system; however; they should initiate the security management as soon as they start making use of technology that could possibly be risky. Organizations should make such arrangements beforehand so that they do not suffer loss (Bettis, 1983, pp.406-415). The security management system should also be flexible so that it can adapt with the changing scenarios of time. Earlier, there used to be security systems that could protect the corporate information only inside the environment of office. However, these systems possess no significance these days because employees do not only access the company information inside the company but it can be accessed from outside as well. Increased use of mobile phones, smart phones, notebooks, and laptops has caused employees to do so. Many organizations despite being aware of the dangers of these devices do not want to stop their usage because this has increased the productivity of employees. Along with productivity, there are many risks associated with this use and IT departments have to be active to ensure the security of organization. Many viruses, spyware, and malwares are the results of application of new device and online tools (Bloom, 1998, pp.283-297). These viruses sometimes are not easy to detect and delete from the system, which wastes a lot of money, time and other resources. It also has impacts on employee’s productivity. To save the organizations from these viruses and threats, managers need to bring a security model that should be able to detect viruses immediately and they do not let it ruin the whole systems. It should also be able to direct the employee behavior regarding use of devices and online tools. Directing behavior does not imply that employees should stop using these tools however, it suggests that it gives guidance to employees that how to use them in effective and efficient manner without encountering any threats (Bodin, 2008, pp.64-68). In past, people perceived the work only to be from nine-to-five but today this concept has become obsolete. Employees can work anywhere depending on the type of work they do. They can work on laptops in their offices; they can also check their emails and do other stuff using smart phones. They can use notebooks for their work when they are out of the office. They can remain connected to the office network even with the help of a small mobile phone connection or unsecured wireless link, which can be threatening for the corporate information if a strong security management system is not installed in the network. If businesses want to create ease of anytime, anywhere workplace for their employees, they would have to bring a security system that works beyond the walls of office and swathe all types of devices, online tools, and connections that employees use. When employees use these devices inside the organizational environment to connect to the office network they have security by an enterprise-class security infrastructure that comprises of proxy servers, firewalls, IPS and the like. Nevertheless, when they use same devices outside the office, the office network’s security system is unable to protect the information. It would not have been a big problem, if the virus remained outside the office but unfortunately, this is not the case (Das, 1998, pp.21-42). When the employees who have worked outside the office bring their devices inside the offices, a polluted endpoint can allow a person with malevolent intention to get ‘authorized’ admission to a device or corporate network by gathering and re-processing an official account and password, or make wrong use of user’s access when he or she is signed in. An organization is not only in danger because of viruses however, danger is also there when a person’s laptop or USB gets lost. This is the reason why many multinational organizations have included a well-extended security system in their workplace, which could save the organization from, unauthorized access. Many corporations possess endpoint security in their workplace with the help of host-based firewalls, anti-malware software, and anti-virus solutions (Davidson, 1987, pp.162-172). Despite these inventions, it is not highly possible to prevent the company from every virus but finding the virus immediately and eliminating it before it damages the whole system is possible. Moreover, the businesses, which have to download and save many data into their devices, should use encryption technology. These days, dealers do not only bring the endpoint security solutions into the market but original equipment manufacturers install such systems in the latest versions of the devices (Ericson, 1994, pp.149-175). For example, some laptop models ship with fitted fingerprint scanners and facial recognition technology. Microsoft® Windows® 7 contains a number of enhanced security technologies, which include device control technology, which specifies that which external devices can be used on a computer and what data should and should not be saved into these devices, even when the user is not linked to the corporate network. Windows 7 also contains technology that averts applications from being laden onto a device except they are on a definite list, and a feature that can distantly disable a device so that no one can access the data is a part of the technology (Huber, 1985, pp. 277-337). Experts should design The Network Access Control in a way that it requires the endpoints to verify that they are safe connections. Moreover, the NAC should also be able to detect destinations of the endpoints and their capabilities. When the endpoints finally access the network, there should be policy, which ensures that endpoints have met all the required standards. One of the standards might be the presence of proper firewall and anti-virus protection softwares in the endpoints before they access the network. If the endpoints do not meet the standards, NAC tries to configure and solve it (Jüttner, 1990, pp.120-141). NAC solutions permit network managers to describe policies for endpoints devoid of the need to have complete control of those endpoints. They also offer a layer of defense against rudely used, contaminated, or rogue endpoints making an effort to link to internal network segments. This ability of NAC technology to implement policies at network access time without taking into consideration the endpoint type, provides an organization with major threat defense by averting spoiled endpoints from connecting with any other computer or application at the network level, therefore stopping it to spread (Kouns & Minoli, 2011, pp. 56-89). Thus, NAC is a significant part of an improved security model to tackle threats from growing employee mobility and the exercise of consumer technology in the organization. The inventors of viruses and malware are becoming excellent at changing their faces so that they can pass through controls and stay hidden while spreading through the systems. This makes it important for security managers to get better their security analytics engines that are sharp tools, which see beyond recognized threats to make out actions, and outlines on the network like malware that attempts to connect with systems or make novel connections and increase the threat. For this reason, it is also important for organizations to amplify defense for information at break in storage devices as well as information in movement on the network. For the data that is most important for the organization, it is noteworthy to implement encryption technology along with improving NAC. If organizations only implement these security systems without including the security in the organizational policies and culture then the employees would not be able to understand its importance and they would not behave accordingly. Security managers should educate their employees about the behaviors that can make organization vulnerable to threats and losses (Lo, 1999, pp.13-26). The managers should make a comprehensive training program for the employees in which employees learn that what is the appropriate time and place of the using the devices. In such trainings, employees should also learn that how to protect the devices that are used to access the network. When IT department of the company provides the devices used by employees, it is less risky. However, today it is common that employees use their personal device to connect to corporate network, which infects the network because personal devices are not as vigorous as the corporate ones. Situation gets worse when the employees use their home connections or unsecured public connection to connect to the corporate network. When this situation takes place, organizations had better make standards without which none of the employees can use their personally owned devices to connect to corporate network. One of these standards could be the presence of anti-virus softwares in the devices. Organizations should keep the same policies regarding use of social media and web applications and they must educate employees about all these tools with strong reason and logic so that employees use them with great care and responsibility, which makes it productive for the company. Moreover, the installation and updating of anti-virus softwares should also be a part of training. Employees should also get opportunity to learn the rules about the devices that are used for copying of important data; these include USB devices, CDs and DVDs. Often, these devices play great role in induction of viruses in the PCs if the user uses them in wrong ways. Moreover, teachings should be provided regarding use of passwords, this include the time period after which employees should change their password and the use of same or different passwords for accessing private files. They should keep their personal and organizational data at different places or folders (McAdams, 2004, 1-8). Employees should also learn that they do not have to involve in confidentiality breaches or workplace bullying because often, rival companies try to acquire the information of other companies by enticing their employees. Employees should also get guidance regarding the use of social networking sites that they do not have to disclose any information of the company on those sites unless the company asks them to do so. Companies should also communicate to employees about the consequences of breaching the training guidelines. There are different kinds of employees in the company, all have to perform different tasks and their level in the organization differs, therefore, businesses should also give them guidelines keeping in mind their access to the network. For example, a marketing employee whose responsibility is to publicize the products using YouTube, Facebook and other social networking sites should have different guidelines from the one who looks after the finances of the company (Rainer, Jr., & Carr, 1991, pp.129-147). When employees connect to social networking sites from the corporate network they should keep in mind that their actions could greatly affect the security and reputation of the company. Moreover, this also has great impact on their personal security. These days most of the viruses are spread through Facebook logins. People with malicious intentions utilize these to dispense entrenched viruses through ‘friends’ lists as numerous people will routinely click any link from a friend with no any thought to the safety behind it. Implicit trust from social networking is a gullible fault. By advising employees regarding phishing scams and other malevolent activity on websites and directing them of steps to stay away from falling victim, and teaching them about the dangers of downloading files that might have a virus or malware entrenched, an organization diminishes the hazards to its employees and itself. The social media rules should also evidently express that what business information employees should post and what not. The meaning of productivity is different for different organizations according to the type of product and service they provide to their customers. However, one thing that is similar in every organization is the efficient and effective use of time and resources by the employees (Roper, 1999, pp.67-109). If employees use their time and resources effectively, they are productive for the organization. Nevertheless, employees require few things from the organization, which can help them achieve the organizational goals. Primarily, it is the freedom to do their work in their own ways, which indicates the use of devices and applications to accomplish their tasks. The question arises that with so strict security models how would the organizations enable its employees to be productive. Answer to this question is that corporations can do it if they carefully analyze their information technology level and its environment. Moreover, user’s role in the organization can help administrators to provide him with the facilities that he requires (Shiller, 2003, pp.343-347). End users computing monitoring technologies are very helpful in determining the productivity of employees, the usefulness of devices, applications, and network for the employees and the protectiveness of security model for the environment. Many organizations have adopted these tools and they are working well for them. However, these tools are able to track that how a specific component is working but they are not able to track the end-to-end user experience perfectly. When deciding if information technology is helpful for the employees or not, organizations should try to monitor with employee perspective. They should check the usefulness of application with employee perspective. If the employees are mobile then how can managers evaluate end-to-end performance? How can managers see the cause and effect relationship between employee performance and a particular security application? Managers need to evaluate the level of employee output, the bottom-line value, and the profit versus expenditure relationship. The simplest technique is to make a survey from the employees regarding the effectiveness of tools that they utilize. Employees will indicate the problems that exist in the applications, tools, and devices and they will indicate the needs and requirements that will be prolific for the organization. Managers should also decide about the changes and things that should continue working in the same way. These answers would really help managers to know if they have taken right steps or not. ‘Six Sigma Lean’ is a great tool to check how employee performance is influencing organization’s productivity, business purposes, and other important processes of the organization. By measuring all these elements, an organization would be able to find out the outcome of its expenditure on the security models. This would enable organization to spend money carefully on the security models. As established technology poses a detrimental risk, but there are many other dangers that can threaten the security of a company. An organization is a synergy of its employees as they are the ones who form the fabric of the company and give it its identity. If the employees are unreliable, that puts the whole organization at risk therefore, it is important that employees report utmost commitment and dedication. Unreliability can be in the form of misdemeanor on their part by not complying with the rules and regulations set by company’s code of conduct. Some workers may foster bad sentiments about their boss and the corporation as a whole, usually disgruntled employees who feel that their hard work is not properly recognized and rewarded. They tend to go to extreme measures and may steal company documents to supply to competitors or just to create commotion at the office. If any internal component threatens the viability of the organization that is much more damaging than any other external factor (Miller, 2008, pp. 48) Theft is also a recurrent security threat; it may be in the form of physical misallocation of data, files, document, or electronic theft in the form of lost passwords resulting in interruptions and uncalled for delays. Let the paper state an unhappy member of a work team hides a document, which has important details pertaining to the project at hand, on the employee’s part it would not seem to be of much consequence, but this may result in a delay in trying to recover the lost data. These tiny occurrences may put the whole organization at a standstill and endanger its productivity. Corporations frequently use heavy machinery for production; on the one hand, these machines are responsible for churning out products at a massive level. However, if not properly maintained, may result in accidents. Therefore, the organization should initiate a proper management system through which machinery and production units are maintained frequently with periodic operational checks with the expertise of professionals. Transportation of raw materials or products from one place to another is another operation a company undertakes, for this purpose trucks and Lorries are employed and driven by drivers who are responsible for transporting the materials and ensuring that the articles reach on time and in perfect condition. The overall policy of the company should include instructions on safe driving and adherence to the traffic laws. Drivers should be provided adequate training to ensure that when at road they do not put themselves or others at risk. Laws exist, which state the training guidelines that need to be followed, also the number of hours a driver and truck can serve. Violation of these standards will not only result in legal action but also prove harmful for the safety and health of the driver. Use of mobile phones is discouraged while driving, the security managers should highlight this feature, and they may provide drivers with radio devices or hands-free devices that do not deter the driver from losing concentration on the road ahead. Apart from risks associated with information technology and social media, managers have to take care of other factors, which become very risky for the organization. Firstly, it is physical environment and working conditions of the organization. It can be very humiliating and stressful for the employees if they feel that they are working in an environment, which is unhealthy for them (Slay & Koronios, 2006, pp.56-90). For example, it might contain factors such as noise, heat, pollution, or poor lighting. Most importantly, if employees work continuously in front of computer screens that are not good for their eyes, they might get a negative perception about the organization and it might be in danger of government prosecution. The biggest risk that can arise from such situations is negative impact on productivity and growth of employees (Straub & Welke, 1998, pp.441-469). When these circumstances occur in an organization, security managers should immediately change the working conditions because nothing is more important than the lives of people. Working schedules are also very demolishing for the productivity of employees if they are not happy with it. For instance, uneven work schedules might disturb the physiological patterns of the employees resulting in sleep disorders, gastrointestinal problems and other health problems, which include uncontrollable smoking or drinking. Due to these behaviors, employees start remaining absent in the organization and their productivity decreases. Most of the researches indicate that the perception of managers that with long working hours, productivity increases is wrong, in fact, it is vice versa in many cases. If employees get opportunities to work on the time, which suits their mental activity, it increases their productivity. Moreover, it is also a cause of tension and stress in the employees because they spend most of their time and energy only on work rather than other activities that are necessary to keep people fresh and healthy (Sprecher, 1983, pp.107-117). If employees have to devote a larger portion of time to the work, they would not be even able to take some time out for their families because of which there might be some disturbance and difficulties in employees’ personal life. If a person is not happy and satisfied in personal life, he would not able to contribute positively to the work. Therefore, security managers should keep in mind that they are not only responsible to security of organization however the individuals that make up an organization are employees, so they come first when it comes to safety and security. Accidents at work is a troubling eventuality for the organization for it reflects badly on its reputation, also puts the workers at risk. Employees tend to lose confidence in their employers if they feel that the company is not taking enough measures to safeguard their safety. For this reason, it is important that no matter how small the occurrence is, it should be notified and dealt with to avoid such incidents in the future. It may seem like a small gesture on part of the organization to investigate why a worker slipped, but the employees will feel that the company cares for them and thus increase their confidence and trust (Bonehill, 2010). Conclusion Conclusively, where misuse of technology is seen as a chief determinant to the health of an organization’s security system, there are small factors that can also have dire consequences if taken lightly. In order to avoid any problems, a company should be proactive rather than being reactive, this can be possible when the managers will take precautionary steps and not wait long enough for an accident to take place. A thorough risk assessment should be conducted which will highlight the hazardous aspects of the organization and its operations. To conduct an assessment, it is advisable that experts be hired who are familiar with such a procedure and know how to carry such an investigation. Once the problem areas are highlighted, a set of possible solutions should also be furnished which list the probable actions a business can take to overcome its shortcomings. However, a security manager should not become confident after conducting such an assessment, one should know that proper follow up needs to be undertaken with periodic checks to confirm that the company is running smoothly. References Alberts, C. J., & Dorofee, A. J. 2003. Managing Information Security Risks: The Octave Approach. Addison-Wesley Professional. Amit, R., & Wernerfelt, B. 1990. “Why Do Firms Reduce Business Risk?” The Academy of Management Journal, 520-533. Bettis, R. A. 1983. “Modern Financial Theory, Corporate Strategy and Public Policy: Three Conundrums.” The Academy of Management Review, 406-415. Bloom, M. 1998. “Relationships among Risk, Incentive Pay, and Organizational Performance.” The Academy of Management Journal, 283-297. Bodin, L. D. 2008. “The psychology of security: why do good users make bad decisions?” Magazine, 64-68. Das, T. K. 1998. “Resource and Risk Management in the Strategic Alliance Making Process.” Journal of Management, 21-42. Davidson, W. N. 1987. “Large Losses, Risk Management and Stock Returns in the Airline Industry.” The Journal of Risk and Insurance, 162-172. Ericson, R. V. 1994. “The Division of Expert Knowledge in Policing and Security.” The British Journal of Sociology, 149-175. Huber, P. 1985. “Safety and the Second Best: The Hazards of Public Risk Management in the Courts.” Columbia Law Review Association, Inc., 277-337. Jüttner, U. 1990. “Supply chain risk management: Understanding the business requirements from a practitioner perspective.” International Journal of Logistics Management, 120-141. Kouns, J., & Minoli, D. 2011. Information Technology Risk Management in Enterprise Environments. John Wiley & Sons. Lo, A. W. 1999. “The Three P's of Total Risk Management.” Financial Analysts Journal, 13-26. McAdams, A. C. 2004. “Risk management Methods Business performance management Methods Business enterprises Management.” Information Management Journal, 1-8. Rainer, R. K., Jr., C. A., & Carr, H. H. 1991. “Risk Analysis for Information Technology.” Journal of Management Information Systems, 129-147. Roper, C. A. 1999. Risk Management for Security Professionals. Butterworth-Heinemann. Shiller, R. J. 2003. “Social Security and Individual Accounts as Elements of Overall Risk-Sharing.” The American Economic Review, 343-347. Slay, J., & Koronios, A. 2006. Information technology security & risk management. Wiley. Sprecher, C. R. 1983. “Large Losses, Risk Management and Stock Prices.” The Journal of Risk and Insurance, 107-117. Straub, D. W., & Welke, R. J. 1998. “Coping with Systems Risk: Security Planning Models for Management Decision Making.” Management Information Systems Research Center, University of Minnesota, 441-469. Read More