When your firm does job interviews, here's a topic that I'll bet never comes up: how much does the applicant know about protecting confidential company data? Yet it's high time that you started asking about this.
The past two decades have seen a surge in the dependence that businesses have on intangible assets. Information now accounts for the majority of a company's value: up to 80%, estimates information-management specialist Robert Hillard in Information Driven Business. And a Forrester Research study, "The Value of Corporate Secrets," estimated that confidential data accounts for more than 60% of this value. So security breaches aren't just a minor annoyance, but a threat to the company's most valuable asset.
Other research shows that employees account for a remarkably high share of security breaches. According to "IT Risk/Reward Barometer," a study of Canadian IT and business professionals by the Information Systems Audit and Control Association, the vast majority of respondents reported that up to 40% of security breaches occur as a result of employees using work devices for personal purposes. And 53% of respondents believe that employees' use of work equipment for personal purposes is causing security issues.
Most companies have policies in place, such as the ubiquitous Acceptable Use of Technology Policy, covering IT security and data protection. Yet the fact that employee breaches of these policies are so widespread shows that it's not enough simply to adopt a policy. Your workforce must also be aware of how important it is to protect confidential data and their critical role in doing so.
If you hire people who don't already have this awareness, you'll have to spend time and money educating them about the importance of IT security, then teach them best practices for safeguarding confidential data. Even then, as with any training program, for some of your new hires that learning will go in one ear and out the other.
Fortunately, there's a better way. You should use job interviews to identify potential hires who already know and care about protecting confidential data. Here are four ways to do so:
Ask the applicant about his understanding of privacy principles as they apply to their current or previous employer: Unless you're hiring a legal professional, don't expect the ability to regurgitate the specifics of privacy law. However, most jobs today entail some kind of privileged access to information, whether the person will be working as a call-centre agent, security guard or graphic designer. Look for a summary understanding of how businesses collect information, store data, protect access to customer and other sensitive records, differentiate among various kinds of sensitive data and dispose of data in a responsible manner. For an overview of privacy principles, there is no better reference than the Office of the Privacy Commissioner of Canada.
Ask the potential hire to offer examples of how security measures protect sensitive information: Pose questions to gauge her understanding of what's involved in working from home. Are there different measures that can be used to compensate for the fact that they're connecting over the Internet, potentially from their own computer? An encrypted virtual private network (VPN) may be something she would consider based on past experience. What information can she access from home vs. work, and what are the kinds of sensitive data she should not be able to take home?