I know in my last post I said I would talk about the value of our data to thieves but I wanted to weigh in on one other subject first.
When it comes to a company initiating a policy regarding sensitive information and employee responsibilities I repeatedly run into the issue of corporate or management participation.
It is absolutely essential for management, whether a board of directors, company president, or owner, to totally commit to the implementation of the policy. The policy must be a part of the business' commitment to excellence and be an integral part of daily procedure. The policy needs to be understood by everyone in the company in order for the "culture of security" to work.
I like to rant on about training but there is a reason. When it comes to data security the human factor is the most critical link. Staff needs to understand both the what and the why of the procedures they are supposed to follow. Management will set the tone by their participation. If management is ambivalent then the employees will take the same attitude. If management is engaged then so will the employees. Fortunately more executives are seeing the benefit of a non-public information policy and training. It will greatly enhance the business' confidence that everything that can be done is being done to avoid data loss and theft.
With all of the national press about identity theft the public is very wary of business losing important information. The savvy business owner can actually benefit in the market place by showing the attention they are giving to this issue in ads and press releases.