When your firm does job interviews, here’s a topic that I’ll bet never comes up: how much does the applicant know about protecting confidential company data? Yet it’s high time that you started asking about this.
The past two decades have seen a surge in the dependence that businesses have on intangible assets. Information now accounts for the majority of a company’s value: up to 80%, estimates information-management specialist Robert Hillard in Information Driven Business. And a Forrester Research study, “The Value of Corporate Secrets,” estimated that confidential data accounts for more than 60% of this value. So security breaches aren’t just a minor annoyance, but a threat to the company’s most valuable asset.
Other research shows that employees account for a remarkably high share of security breaches. According to “IT Risk/Reward Barometer,” a study of Canadian IT and business professionals by the Information Systems Audit and Control Association, the vast majority of respondents reported that up to 40% of security breaches occur as a result of employees using work devices for personal purposes. And 53% of respondents believe that employees’ use of work equipment for personal purposes is causing security issues.
Most companies have policies in place, such as the ubiquitous Acceptable Use of Technology Policy, covering IT security and data protection. Yet the fact that employee breaches of these policies are so widespread shows that it’s not enough simply to adopt a policy. Your workforce must also be aware of how important it is to protect confidential data and their critical role in doing so.
If you hire people who don’t already have this awareness, you’ll have to spend time and money educating them about the importance of IT security, then teach them best practices for safeguarding confidential data. Even then, as with any training program, for some of your new hires that learning will go in one ear and out the other.
Fortunately, there’s a better way. You should use job interviews to identify potential hires who already know and care about protecting confidential data. Here are four ways to do so:
Ask the applicant about his understanding of privacy principles as they apply to their current or previous employer: Unless you’re hiring a legal professional, don’t expect the ability to regurgitate the specifics of privacy law. However, most jobs today entail some kind of privileged access to information, whether the person will be working as a call-centre agent, security guard or graphic designer. Look for a summary understanding of how businesses collect information, store data, protect access to customer and other sensitive records, differentiate among various kinds of sensitive data and dispose of data in a responsible manner. For an overview of privacy principles, there is no better reference than the Office of the Privacy Commissioner of Canada.
Ask the potential hire to offer examples of how security measures protect sensitive information: Pose questions to gauge her understanding of what’s involved in working from home. Are there different measures that can be used to compensate for the fact that they’re connecting over the Internet, potentially from their own computer? An encrypted virtual private network (VPN) may be something she would consider based on past experience. What information can she access from home vs. work, and what are the kinds of sensitive data she should not be able to take home?
Job candidates don’t need to be able to explain the technological aspects of secure internetworking, unless the job description requires it. But they should be aware of the existence of security controls for the purpose of protecting sensitive information of different kinds, such as financial, client, health data, press releases, trade secrets and meeting minutes.
Find out how the candidate would deal with a suspected data breach: This is a simple answer that may range from verbally reporting the suspected breach to a superior, to filling out an incident report. Look for a candidate who shows care and understanding about protecting his employer’s business assets, because this will go a long way toward limiting the damage if and when breaches do occur. Employees who are passive, uninterested or otherwise unmotivated to do anything about suspected incidents are not an asset to a company, even if you do give them proper training in this area.
Probe to determine whether the candidate understands security basics: Use the interview to cover password sharing, off-site data, use of mobile storage and any other areas your company feels particularly strongly about. It’s not an onerous requirement to expect your employees to be aware of the risk of sharing their personal password with co-workers, leaving sensitive documents on their desk at the end of the workday or taking work home without encrypting confidential data. But many employees can’t be bothered to do these things.
When you ask about good security habits, look for answers that show that the candidate appreciates the responsibilities that accompany the privileged access to data they’d be given in the job. Would she click on a link if asked to do so by someone who appears to be legitimate? How does she handle the pesky task of remembering all her passwords? (Hint: writing them on a Post-it Note and sticking it on her monitor is a bad answer.) If she found a USB key in the parking lot, would she plug it into her computer to see what’s on it or first show it to the IT department? Aside from the specifics of her answers to these questions, look for a sense of how receptive she would be to the enforcement of policies intended to protect company assets.
Claudiu Popa is a corporate security and privacy-risk advisor, and president and CEO of Informatica Corp. He is also co-author of The Canadian Privacy and Data Security Toolkit (Canadian Institute of Chartered Accountants, 2009) and Managing Personal Information (Reuters, 2012).
More columns by Claudiu Popa