Friday, 31 August 2012 20:01

How to balance convenience and compliance

In the past, a company’s employees were generally employees for life; there was little danger of them leaving, and if they did, the technology didn’t exist for them to take information with them.

Today, however, the average employee will hold eight to 10 jobs over his or her professional career, and if you don’t take the proper precautions, employees could take your data with them when they leave.

“Today’s ‘migrant worker’ is smarter and comes with strong skills sets, which necessitate more sophisticated data requirements regarding employee identity security,” says Steve Carter, president and CEO of ii2P.

Smart Business spoke with Carter about the importance of employee identity security and how to balance convenience and compliance.

Why should employers be concerned about employee identity security?

Businesses have three types of security needs: physical, data and employee identity. Physical security involves a company’s structure and its hard goods, data security relates to proprietary business or financial information and employee identity includes access to e-mails and network drives, and authorization to post information on the Internet. Employee identity security is just one leg of a three-legged stool that makes up corporate security.

Employee identity security is critical in today’s economy because of the changing face of the work force. This is the age of the ‘migrant worker.’ The employees who are working for you today will most likely be leaving your employment at some point for another opportunity. As a result, managing employee identity while those workers are with you is a fundamental protection that every company must have in place to reduce corporate vulnerability. Equally important is taking precautions to freeze employee identity when someone leaves your company so that he or she doesn’t take that to another job.

What specific challenges do small and medium-sized businesses face regarding employee identity security?

There is a fundamental balance to consider in terms of employee identity security relating to convenience versus compliance — convenience for the user versus compliance for the organization. Larger organizations are very good at forcing employees to comply with strict IT policies regarding identity security. However, this approach can backfire as users try to circumvent policies because adhering to them is inconvenient.

Conversely, with smaller to mid-sized organizations, there may be no one who is creating and monitoring policies. Without controls around necessary security policies in place, identity protection is left in the hands of individual employees, which can cause a litany of problems. Without protections in place, employees may decide that convenience is more important to them than compliance, resulting in the use of the same password for a company’s restricted database that contains sensitive financial information as for their individual social media accounts.

To deal with these concerns, small and medium-sized organizations often shift the responsibility of identity security to an outsourced IT vendor. In theory, this is a practical plan, as it puts someone in charge of security. However, this may not always turn out as planned. For example, if employees are working on a project after hours and are locked out of some critical system, they need their password reset quickly. And if the outsourced security provider is unavailable, employees may revert to using their personal passwords, putting weaker identity security back in the hands of the employees.

What is the cost for a small or medium-sized organization to invest in solid employee identity security?

Because of differences in size, complexity and requirements, there is no one right answer. Research has shown that enterprise investment in employee security costs the average company between $500 to $600 per user per year.

Many small or medium-sized organizations can’t afford this cost and, as a result, make no investment and expect employees to keep their own identity secure. However, this is a dangerous practice and is not a recommended approach, as it leaves companies vulnerable to security breaches.

What can small and medium-sized companies do to provide better employee identity security?

Start by standardizing security policies across the business infrastructure. Don’t have 10 different password management systems and 10 different login systems. This may sound like common sense, but it is a step that is often lacking in organizations.

The second step is to enable employees to manage their identities on their own but within the constraints of the standardized policies of the company. If employee identity is a rail system, then standardized policies represent the rails. Employees are allowed to throttle how fast they want to go and they can paint their train blue or red or green, but they must stay between the rails while maintaining their own identity. This provides employees with convenience but also ensures that they adhere to the company’s security policies.

How should employee identity security align with data security?

There is going to be turnover in your organization, so it is crucial to make certain that proper user authentication is aligned tightly with employee identity. Simply put, this means that while employees have the ability manage their personal identity, they only have access to pertinent information that is relevant to their job.

When an employee leaves, that person’s identity needs to be frozen and any access he or she had to corporate data must be shut off.

Steve Carter is president and CEO of ii2P. Reach him at (817) 442-9292 or

Insights Technology is brought to you by ii2P

Published in Dallas