On a recent Sunday, the Philadelphia Inquirer shocked our local community by stating the obvious: “Even after the carnage at an Amish school in Lancaster County last week, a spot check by Inquirer reporters found a surprising number of security lapses at schools across the region. In spite of rules aimed at limiting public access, reporters who fanned out on a single day walked into more than a dozen schools unannounced and without being challenged.” Schools Caught Short on Security, The Philadelphia Inquirer, October 8, 2006
Many people think that security is the security manager’s issue. However, on a recent blog post, I stated: “You can’t rely on your employees and consultants to use common sense when it comes to your company’s security. Remember to continually communicate the boundaries of permission to remind everyone that safety and security are team issues.”
In the case of the school security breaches, well-meaning teachers and students, as well as hapless employees and contractors, provided unauthorized and unsupervised access. Luckily, the intruders were reporters; there were no casualties other than reputations and peace of mind.
In order to understand why this security lapse is particularly astonishing at this time, here is the background for those who don’t live in Pennsylvania and may not know: A gunman had recently invaded a one room Amish schoolhouse, killing 5, severely injuring 5, and traumatizing the whole community. Subsequently, the often repeated message has been, if this can happen at that one room schoolhouse in the middle of the countryside in a peace-loving community, it can happen anywhere. We should step up efforts to keep our kids safe because of the high likelihood of copycat crimes.
These security lapses occurred at a time of heightened security. If a murderer had come sneaking in the side door, the consequences would have been very deadly. While most of us don’t have to worry quite this much about our policies and procedures, it made me stop and think.
There were policies in place at all of the schools. Some of the policies were better than others, but each had security policies. When questioned, school authorities stated that there were policies that were not followed. For some reason, it seemed as though some felt that this settled everything, though I was left with many questions:
* Are the procedures written in light of actual practices/are they practical?
* Who is responsible for verifying that policies and procedures are followed?
* How is accountability ensured?
* What is the personal consequence of causing a security breach?
* How are the policies and procedures communicated, and how can we be sure that the involved parties understand them?
* What are you doing to make sure that these kids are safe, both now and in the future?
* How are updates communicated?
You can use these questions to consider the effectiveness of the security policies and procedures for your business as well. (There are many kinds of policies and procedures; this discussion focuses on security.) Many people view policies and procedures as an unpleasant set of paperwork that is at times needed for regulatory or legal reasons. However, policies and procedures should be meaningful roadmaps to better business practices.
In the case of security, the documents are “organic”. The procedures will change with advances in technology, or changes in criminal behavior. Policies and procedures are purposeful; when it comes to security, following policies and procedures should prevent or limit loss. However, misunderstandings can instead cause confusion and create risk.
The good news: There are many things that you can do to create a framework for success and thwart would-be crimes; put your documentation to work! You can use the following suggestions to ensure that your policies and procedures aren’t just sitting in a drawer collecting dust.
If you don’t have policies and procedures in place, begin with your most pressing concerns. You can update documents later as needed, but it’s important to gain and keep momentum or the project will stall. Once the writing begins, you will immediately find gaps and broken processes that need to be addressed. If a manager is doing the writing, he or she is likely to have starts and stops as attention is given to management issues. This can be frustrating.
Many managers enjoy outsourcing the work to a writer so that they can fix processes quickly without affecting the project schedule. Most technical writers offer free estimates and are happy to discuss your project with you. You may also request quotes from more than one company to comparison shop.
Create a communication plan. For instance, send out a section per week for review instead of one overwhelmingly large document, and meet later in the week to discuss that section.
Make information relevant. The best way to do this is for the manager to write a follow-up note or lead a discussion regarding the manager’s specific concerns with the team. For example, “Procedure 3.1 states that company laptops must be secure, but it doesn’t elaborate. As part of the sales force, your laptop travels with you and security is really essential here. These are the types of things that I feel are necessary to improve physical security, as well as data security ” In this way, the employees are relating the procedures to their own personal experiences and situations.
Cover all your bases. Make sure that there is a system in place to thoroughly disseminate the information. In this case, schools needed to communicate with teachers, other employees, students, parents, and contractors. When you need to educate a broad audience, you must have a plan. Don’t assume that people will pick up the information by osmosis.
Reinforce the information. Using training classes, online quizzes, and class discussions reinforces the concepts and gives people a chance to apply their new knowledge. Providing employees with job aids, such as quick reference cards, will also help them to gain proficiency.
Allow for input. Hold employee roundtable discussions or encourage employees to provide input to the managers. In many respects, employees are your first line of defense against disaster.
Establish accountability. If a person knows that there will be random security checks, he/she will be much more likely to self-check. It’s human nature. Along the same lines, managers who create a compliance audit plan are more likely to follow up than those who do not.
Apply the rules to everyone. I have heard it said that managers who feel that the rules don’t apply to them create the biggest risk to corporate IT security. In fact, the clearance held by top executives means that they are the greatest risk, and they should probably be even more careful (not less).
Be ready to take action. Treat security breaches with speed and commitment. You don’t want to be overly punitive, but you also don’t want to be a haven for scofflaws that aren’t working with the rest of the company to keep everyone safe. More than likely, if you are prepared to follow through with those who are breaking policies, you won’t have to.
Review your business practices at the slowest time in your annual sales cycle. The mere existence of this set of documents does not automatically improve practices. Policies and procedures only work if they are accurate, relevant, and known.
When teams work together, crimes are prevented. Well-written policies and procedures bring unity and understanding, keeping people and possessions safe. When security is breached in spite of the efforts, a well-thought out backup plan will ensure that the problem is resolved as quickly and as painlessly as possible. Far from being a distraction, when written with respect and participation, the development and implementation of policies and procedures has a positive effect on job performance, safety, and productivity.