Don’t let small security mistakes cause big issues for your company
When working in a secure space or anywhere that is concerned about company security, there are some security procedures employees often don’t follow. While these mistakes may seem insignificant, they create vulnerabilities in company security, and the more vulnerabilities there are, the more an adversary can take advantage of.
When employees don’t follow these important security procedures, they become potential negligent insider threats. It’s important for security leaders, especially Facility Security Officers (FSOs), to know what mistakes to watch for so they can address them quickly and stop any potential problems before they get out of hand.
Common Mistakes
Tailgating or Letting in Unauthorized People
Sometimes politeness can stand in the way of office security. An employee may hold the door open for someone on a door that requires a badge, giving an unvetted person access to the facility. If your office has multiple entrances, an employee may let in someone who claims to be there for maintenance or cleaning without them first checking in or being escorted if needed. These are both ways where an unauthorized person could easily end up in your facility.
Make sure you have an official policy on how these situations should be handled, and regularly train your employees on the policy. Depending on if you’re a possessing facility or non-possessing, this policy may be that all visitors need to be escorted or that they just need to check in at the front desk and have a visitors badge before they can be let into other parts of the facility. Having an official policy enables you to escalate disciplinary action or reporting if an employee has let in someone without knowing if they were authorized.
Leaving Their Computer Unlocked or Badge Out
Often in an office setting, employees may feel they can leave their computer on or their company badge on their desk while they head to the bathroom or have a chat with a coworker. While this may seem like innocuous behavior, it allows people to potentially steal access to information or places. This could be a coworker looking through a cleared person’s computer they left unlocked, or an adversary posing as a repair person stealing a badge that was left in the open.
Encourage employees to have a designated place to keep their badge that’s on their person or at least not easily grabbable, such as wearing it on a lanyard or keeping it zipped away in a bag. You could also create a department- or company-wide game of it, letting everyone know if their badge is found out, a member of the security team will hide it. You can do the same for an unlocked computer, where security team members will replace the person’s background with a funny picture or message in their team chat that they’ve been “hacked.”
By creating multiple forms of security education in addition to the annual refresher trainings through videos, games or posters throughout the year, you can create a security culture. People learn in different ways, so having regular reminders that can speak to different types of learners will be your best chance to make sure your company has robust security.
Failing to Report
Under 32 CFR Part 117, NISPOM, all cleared employees are now held to the reporting requirements of SEAD 3. This includes reporting foreign travel, marriages and certain financial situations such as bankruptcy or an inheritance above $10,000.
Employees forgetting to report something is one of the most common breaches in security procedures. Most often, this is a genuine mistake, and the employee isn’t trying to hide something. For a first offense, you don’t necessarily need to formally report the employee for not self-reporting, especially for something like forgetting to report a trip abroad before leaving. In these instances, you can have a conversation and assign them some more training that covers reporting requirements. However, if this becomes a pattern of behavior, or the employee doesn’t report something more serious like an arrest, it’s time to escalate.
Knowing When to Escalate and Report
In many cases, the first security mistake is an honest one, and you don’t need to immediately resort to reporting the incident. If employees know that any slip-up will lead to them being written up, you may create a culture where people are too afraid to admit when they’ve made even a small mistake. Without self-reporting, your company security will be significantly worse off.
When they commit a minor security violation, give them the benefit of the doubt and start with a warning and a conversation. Make sure they understand the mistake they made and how it can affect company security. Assign them further training, placing the focus on education. Ideally, you will create a moment they will remember, and that will keep them from making the same mistake twice.
Click here to download
While the benefit of the doubt is important, you also can’t be afraid to escalate, especially if the employee breaking security rules is a pattern of behavior rather than a one-time thing. In the case of Airman 1st Class Jack Teixeira, the man who leaked national defense information earlier in 2023, he was repeatedly warned about mishandling of classified information in the months leading up to the leak. However, according to CNN, his behavior wasn’t formally reported, allowing for him to continue to access information.
When the employee breaks a more serious rule or is still ignoring security procedures after talking with you and receiving further training, it’s time to report. While you don’t want to be so strict that people are afraid to come forward, consequences are necessary to keep your company secure.
Start with the Why
When it comes to getting employees to care about these rules, it starts with making them understand why they matter. In your trainings, make sure you give them real-world examples of how the creation of these vulnerabilities can affect companies and personnel. Getting people to care about maintaining company security will greatly increase the odds that they follow the procedures in their day-to-day routines.
If you’re looking for help in creating engaging and effective trainings for your cleared personnel or need someone to help shoulder some of your responsibilities so you can focus on your security culture, Adamo’s FSO support services may be the right fit for you. Our team of experts can be your partner in security, advancing your goals and taking on tasks including trainings, help with your annual inspections, and management of personnel clearances.
