Document Security For Your Business

Dollarphotoclub_66292214

In today’s competitive environment, securing your data is critical and not just your online data that has been shown to be easily accessible by the right individuals but you also need to think about your documents – the pieces of paper that we still rely on.

I read an interesting article on ARS Technica the other day about AT&T Fined $25m for Data Breach after employees at an outsourced call center stole and subsequently sold customer data. While outsourcing is popular, how do you know how your data is being handled? Is someone making note of the data? Are there any safeguards in place to monitor (abnormal) data usage/queries?

In recent years another trend has been BYOD or Bring Your Own Device. While this may appear to cut costs for companies trying to eek out higher and higher returns and profits BYOD brings with it many hurdles for IT departments. Just search Google for the risks and benefits of BYOD to read both sides of the discussion.

Fact is we still rely on paper, and print out documents to simply pass them around and finally they end up in the garbage or recycle bin (hopefully in the recycle bin). But that paper could be gold in the right hands – paper creates risk.

According to DataLossDB (DataLossDB – Open Security Foundation), statistics published found that incorrect document disposal accounted for 6% of data breaches, e-mail accounted for 3%and stolen computer or laptop accounted for 14%. So paper handling while seemingly insignificant accounted for 6% of data breaches.

Who was committing these breached? Insiders – when looking at incidents by vector, accidental breaches by organization insiders accounted for 18% of the breaches. While the statistics do not point out what information is breached or how your people are part of the risk equation.

Overall the trend (according to DataLossDB) seems to be going down in terms of data breaches. Since 2006 data breaches escalated to a high point in 2012 from 643 reported to over 1,660. In 2015 that number fell to 1,037 – so either we are getting better at protecting our data or fewer organizations are reporting their breaches, hopefully the former. Public companies may report on data breaches to protect their customers (such as Target, Adobe HomeDepot US) but smaller companies and private companies are probably not reporting these breaches.

Document security – not just digital security but paper – needs to be an important part of your overall risk strategy, consider the type of documentation your business may be producing:

  • Sales figures and presentations
  • Contracts
  • Employee information
  • Business strategy
  • Plans, designs and blueprints
  • Proprietary procedures, processes and methodologies
  • Legal documents
  • Training documentation

While at first glance these may not seem important, but they can be. Consider presentations that are given for internal use, information found on these might be valuable to competitors or may provide insight into how the company is run and open the door for competition where there may be little to none currently.

Contracts are also critical, since they generally provide the key working information for all parties involved, including such confidential items such as pricing, or terms. Contracts may also include information about insurance, subcontracting and may even list client information.

Securing and destroying paper is critical in any business, and like every other asset should be handled correctly.

Destroying paper securely should be an easy proposition, but consider what you are doing today:

  • Is it being put into the general recycle box?
  • Are you using secure recycling services?
  • Do you use a commercial grade cross-cut shredder?
  • Do you just throw it out?

The simplest, and most cost effective method is to use a shredder, for business use a good quality cross-cut shredder should not cost more than $1,000.00.

If you decide to use a recycling service, ensure that it is a secure service rather that putting paper into your local municipalities recycling program.

It is also a good idea to put in guidelines for what type of documentation should be printed, and how it should be handled – what may seem like common sense can sometimes be far from it.

You may want to consider putting your networked printers behind a password for the general office so that all requests to print can be monitored

If you move to a paperless office, then ensure you have the right tools for your employees to make that leap. Online document storage and management allows you to track who is looking at documentation that may be critical to your business operations. Tools like PDF creators allow employees to convert their Office documents to more secure PDF formats that can contain encryption and a higher level of password protection.

Data security isn’t only protecting your online data – but also protecting the offline data, namely the paper that is being pushed.

How To Discipline Your Employee

anger boss and woman

Lets face it, having to discipline an employee is tough especially if you are a new manager even seasoned managers may find it difficult. There can be many reasons to discipline an employee:

  • Performance issues
  • Behavioral problems
  • Excessive absenteeism
  • Tardiness
  • Failure to notify on an absence
  • Rude or abusive language in the workplace

The list of reasons to discipline an employee are endless, and probably only limited to the employees imagination. Some of the reasons for discipline can be negated somewhat if you let your new employee know what is expected of them during the on-boarding process, such as providing the organizations policy regarding sick, late and other common events. Once you have identified an issue that requires you to take action, two important steps need to be taken before meeting with the individual.

  1. Investigation. Don’t falter on this step, and ensure it is concise. This is the most important part of the discipline process. As the manager you are going to gather facts and evidence to determine what has taken place. You may need to gather evidence such as witness statements from other team members, documentary evidence. Most of this evidence will be gathered by speaking to those that may have witnessed the incident and remember to include the employee that is part of the investigation – you need to hear their side as well.
  2. Once you’ve completed your investigation, and have your facts organized the decision to discipline can be made. It is important to note that discipline should never be done in a vacuum – you should consult with other people in management including Human Resources. You need to take a lot into account including things like the employee’s past record, the severity of the incident and whether the employee was provoked. Discipline can be administered verbally but should always be followed up with something in writing.

There are two methods frequently used to handle discipline:

  1. Corrective discipline
  2. Progressive discipline

Corrective discipline would typically be used in cases of absenteeism or tardiness – the employee is expected to correct the behavior immediately – not over time. Progressive discipline involves working with the employee through a series of corrective actions, and coaching and is typically used with performance or other job-related issues. Progressive discipline also follows a set of procedures, hence the term “progressive”:

  1. Coach the employee about the issue
  2. Verbal warnings
  3. Written warnings
  4. Suspension or termination – depending on the situation
    • ALWAYS done with HR in tow!

The actual discussion with the employee can also be handled in several ways, typically going from verbal discussions, to written warnings, suspension and finally termination – again, remember to keep HR involved. Terminating an employee should be a last resort you always want to try and salvage the relationship. No matter what method you use it is important to document the interaction, this is done to protect employee rights and prevent legal action. Documenting the issue, and resulting disciplinary action also makes it easier to move from one step to another – for example from a verbal discussion regarding tardiness to a written warning. Miss one step and you have to start from the beginning. Getting off the initial stage fright can be easy with a little bit of preparation. There is only one thing you need to absolutely remember when having the discipline conversation with an employee: get your facts straight. If you have your facts and can back them up then your conversation will go over much better than if you go in without all the facts and try to establish authority. Getting your facts straight is one of the most important part of the conversation, if you don’t know have your facts you will come off like an idiot and will undermine yourself – believe me, your employees will talk among themselves and none of it will be flattering. When you have decided that you need to talk about a certain behavior (also lets get this straight, you are disciplining for the BEHAVIOR not the individual – you should never be attacking the person), you need to keep several things in mind:

  1. Get your facts straight
    1. What is the incident in question?
    2. When did it happen?
    3. Who else was present?
    4. What was the result of the incident?
  2. Remember that you are going to discipline for the unwanted behavior, these conversations should never attack the individual. As a manager you need to be above reproach and lead accordingly.
  3. Involve HR early in the process. You should keep HR in the loop with what is going on, depending on your reporting structure you could find your conversation in HR. They will be able to provide tips to you and may help with structuring the meeting with the employee.
  4. Document, document and document. This goes hand-in-hand with number 1 – always document the incident. As you speak with the individual, document. Once you’re done document.
  5. Keep copies of the conversation for your records, for HR and for the employee.

As you work through the discipline process, you also need to remain consistent. Any slip-up means you may need to start the process all over. You also need to remain consistent from one employee to the next, any deviation will be seen as favoritism and make dismissal that much more challenging – either before or after — remember the employee has the right to see a lawyer regarding their dismissal and will present the facts to the lawyer. As a company your minimal severance could become something substantial (see also this website, and also this website, oh and this story also and finally here is an article on a large severance paid out by the City of Vancouver to its terminated City Manager – and finally if you want to do-it-yourself without hiring a lawyer visit the Fired Without Cause website). Disciplining an employee can be difficult, however with the right amount of preparation and getting the support of your senior managers and HR the task can become less stressful. It is always important to remember that you are trying to correct a behavior, and the goal is to salvage the employee-employer relationship – terminating the employee should always be the last resort.