help! my department is ignoring our own security policies

A reader writes:

My company has a written security policy requiring us to authenticate all requests we receive by phone or email before acting on the request or releasing any non-public information. This is a good policy, and necessary to protect both my company and our clients. All employees were required to sign an acknowledgement that we are aware of the policy.

Unfortunately, this policy is completely, totally, 100% ignored in my department. It’s not merely that we don’t follow it. It’s that absolutely no means exists by which we could follow it. There is no method whatsoever available to us to confirm that anyone who calls or writes really is who they claim to be — we take their word for it because we really have no alternative (unless doing absolutely no work could be considered an alternative).

Needless to say, this is a security vulnerability just waiting to blow up in our faces. I’ve mentioned it in email to both of my managers, and both of them failed to reply. Now, to my question (a 2-parter):

1. Is there some way I can approach this with management to get some action? I would like us to move toward a place where we can authenticate people and act in a way that protects both us and our clients. I see no progress (or even attempts at progress) on that front.

2. What steps do I need to take to protect myself? Sooner or later, an information leak is going to occur (assuming it has not happened already), and I don’t want to lose my job, or worse, be legally liable. With every call and email I respond to, I am in violation of a written company policy. Unfortunately, I have no alternative, as no authentication mechanism exists, and it’s impossible to perform any aspect of my job without responding to calls and emails.

It’s bad enough when companies have policies that they don’t bother to follow, and it’s even worse when the policy is an important one.

Start by talking with your manager. You say that you mentioned it in an email and got no response – but that’s not really the same as talking about it. Email is easy to inadvertently ignore or overlook, and it’s not well suited for important conversations.

So talk face-to-face. But when you do, it’s important to realize that your managers may have a different outlook on this than you do. They may have assessed the risk, assessed the resources needed to put in place a mechanism to allow you to authenticate people, and decided that – for right now, at least – the better business decision is to live with not being able to authenticate. And if that’s the case, chances are fairly good (although not certain) that they didn’t make this decision on their own, but with the involvement of people above them. In other words, it’s possible this is a deliberate trade-off that the company is making right now.

Or, that might not be the case at all. This might truly be an urgent issue that would be addressed immediately if the proper person knew about it. But because you don’t have the same context as your managers have, you shouldn’t default to assuming the latter – you want to account for both possibilities as you proceed.

That means that while you should absolutely talk with your managers about this, you should do so not with a tone of “this is an urgent crisis that you’re neglecting!” but rather a tone of  “this has been concerning me and I wanted to talk to you about it.”

If you talk with them and are told that they’re aware of the situation but that they’ve decided it’s okay not to enforce the policy for now, then it’s reasonable to say something like, “I feel a bit odd violating a written company policy with all the calls and emails I respond to, and I worry about being held accountable for that if an information leak does occur at some point. Would it be possible to update the policy so that it reflects how we’re actually working, so that we’re not in the uncomfortable position of doing the opposite of what it says?”

If they’re good managers, they should agree with you on the need to do this. But if they don’t, you can document your conversation by sending them an email afterwards, saying something like, “I want to confirm that we talked today about our policy on authentication and the fact that we can’t currently authenticate customer calls and emails. I’ll be following your guidance not to worry about authenticating until/unless I hear otherwise. Thanks for talking with me about it!”

That might be the best outcome that you can hope for in this situation, but at least you’ll have raised the issue to the attention of the appropriate people and covered yourself in the event of a future problem.

{ 23 comments… read them below }

  1. anon-2*

    Cover yourself. In writing. The worst thing that can happen is you’ll lose your job.

    Because, when it hits the fan, especially if you’re verbally told to do something

    1) “I was just following directions/orders” will not work as a defense. “You’re a smart guy/gal, you shoulda known.”

    2) I have been in situations like this where management gives a verbal order that has an aroma with it — and does not give the order in writing – to cover themselves.

    3) If / when things hit the fan – you’re going to learn two things —

    a) it’s every man for himself (or woman for herself)
    b) Don’t expect assistance from corporate counsel. They’re only interested in protecting the company – NOT YOU.

    Finally – you don’t want to be involved in a corporate scandal. That’s a skunk spray that follows you around. Potentially forever.

    Good luck.

    1. Jessa*

      This totally. Cover yourself. Send an email confirming stuff. Keep a copy (if you have the authority to send email outside the building – some people don’t,) BLIND copy yourself outside the office. It’s very easy for the company to delete an email from their system if it hits the fan hard on them (if they’re crosswise some legal obligation or federal regulation.)

  2. Chinook*

    I have to ask, are their state or federal laws around the privacy of information held by an organization? If so, there would be guidelines available that you could bring to your department head. I see this from a Canadian perspective where what you say is required by both Canadian (FOIP) and Alberta (PIPEDA) law.

    What this means is that the requestor must answer specific questions about their account before information is released.

  3. Jamie*

    This situation horrifies me – but fwiw I think the OP is pretty great.

    I’d love to work with anyone who is aware of the policies that govern their work, knows why they matter, and is bothered when they are dismissed without explanation.

    I have nothing to add to Alison’s advice, which I would follow if I were the OP, but just wanted to let the OP know that while this situation may suck right now your instincts on this one say a lot about your character and will hold you in good stead elsewhere in your career.

    1. The Other Dawn*

      I agree. This situation horrifies me also; I’m the information security officer at the bank I work for. Hopefully whoever wrote that policy is aware and has documentation as to why OP’s department can’t follow the policy. Auditors would have a field day if, in fact, no one has realized the policy isn’t being followed and why.

  4. Gemma*

    Interesting – I’m a consultant and I do quite a bit with infosec (not a pitch: I’m not in the USA)

    OP is there a specific reason why the requests can’t be authenticated by the usual security questions process or is this data held to a standard (like a clearance level or interal check) in which case the clearance should be something you can check. Could you have authorised email addresses requests need to come from? Is the data you’re releasing even sensitive enough to need to be covered by this part of the security policy?

    While Alison has some great advice the problem solver in me desperately wants enough detail to tackle this.

    1. Jamie*

      Hee. As a old hand at policy writing who makes damn sure my policies are able to be implemented and followed I also have the itch to solve this.

      I understand the need for lack of details – but this is a puzzle screaming for a solution and it’s making me twitchy. :)

      1. Jessa*

        I had the exact same thought. If there are accounts attached to these requests is it not possible to ask for the same verification you do from a phone call? Does the OP not have access to the master data? I’m totally itching to find a solution for this.

  5. The IT Manager*

    You say that you mentioned it in an email and got no response – but that’s not really the same as talking about it. Email is easy to inadvertently ignore or overlook, and it’s not well suited for important conversations.

    +1000

    Don’t assume the worst of bosses yet. It could be that your email is such a hard problem for them to solve that it has simply been back-burner-ed to get to as soon as there’s time. I’m projecting, but until recently I was overwhelmed with putting out fires and some harder issues that required thought (or simply longer email responses) lingered in my Inbox for an embaressingly long time because there was never time to get to deal with it.

    Specifially on topic: I agree with others that it’s great that you care enough to bring this issue up and not ignore it like everyone else around you is.

  6. ThatFormerHRGirl*

    Ugh, this kind of stuff drives me insane!! One of the things that has kept me up all night in my current department at Company I’m About to Leave in 2.5 Days is that although we have a policy that states we can NOT transmit SSNs over email (fax or verbally by phone only), people do it ALL. THE. TIME. How is this so hard to follow, and how can people not understand the risk. I guarantee if it was their information potentially getting leaked/hacked they’d be PISSED.

    Ugh – thanks for the vent :)

  7. Michael*

    I’ve found policies like this that aren’t widely followed, even by management, are interestingly ever-present should you fall out of favor with your boss and are quickly used to justify disciplinary actions. You’ve already raised the point with those you report to, though a face-to-face follow-up is in order. Personally, I would strongly consider looking elsewhere having been on the receiving end of the treatment I just mentioned. Oh, and should you point out that no one, including the guy handing down a reprimand, follows the policy that always-golden response of “that’s no excuse” stings particularly well.

    1. Lindsay*

      Yes. My last job I got fired for doing things that others do every day.

      One of them was “voicing negativity about my job in front of subordinates”. I asked my boss how he could possibly cite me for that when he did the same thing constantly – made comments about people who frustrated him, complained about not being paid enough, went on the computer and searched job sites in front of me and talked about how he was looking for a new job where he didn’t have to devote his whole life to the job – to a much greater extent than I did (I made one ill-advised comment one time, I was asked by one manager to do something, and then by another manager to do the opposite and said “You know, I just can’t win with these guys”). He then proceeded to justify why it was okay for him to be frustrated and unhappy while I got the “that’s no excuse”. I called him a “f***ing hypocrite” in that conversation, probably not the best choice but I knew I wasn’t using him as a reference anyway and has just been termed with no rehire status.

      I was fired for political reasons (I was making more in my role than they wanted to pay others who they were about to promote into new roles above my own, the guy who fired me was out the door in a couple days as it was and firing me was his hail mary to try and make it look like he was doing something to fix his departments) but since they didn’t have anything justifiable to fire me on they went for mundane stuff that everyone does that is technically against the rules or technically poor form and he just threw a bunch of things on the DAR to make sure it stuck.

  8. Not usually anonymous*

    I hope my story will give OP some ideas …

    I’ve gotten emails from students saying that teacher X (above me who makes the rules) has told them it is alright for them to be an exception and could I please tell them exactly how to break the rules in their case. Teacher X never responds when I ask for confirmation but the students also don’t take no for an answer and then try to get a yes from my teachers.

    First I asked teacher X to change the rules – unsuccessfully. Admittedly, it takes years to change the rules. Then I spoke to the department Y whose cooperation was needed to break the rules and they insisted that breaking the rules was okay …
    So, I cleared with my boss my announcement to my teachers that they should be careful with requests from students to break the rules, but direct (written) requests from teacher X and department Y should be honored. Then department Y started enforcing the rules. Did I have anything to do with their change of heart? I don’t really know.

  9. KayDay*

    I think it’s really important to talk to management about this in person. However, one potential problem is that management might either tell the OP, “yeah, you need to follow the policies, *wink, wink*” and/or give only a vague response, such as “why don’t you ask [co-worker who isn’t following policy] how they manage?”. Since the OP doesn’t actually have the tools to follow the policy even if she tries, such an answer may make the OP look more at fault if the proverbial ordure hits the fan.

  10. Not So NewReader*

    Can you find a news article that shows a company/organization that is doing a similar thing and is now in hot water?

    Conversely, can you research some common security measures that others are using successfully?

    It is amazing what you can find in an hour on the internet that makes managers pause and reconsider. Make sure you use reputable, well-known websites.

    I am a big fan of using the “we” word. “We need to figure this out…” or “We need to set something up here to protect all of us because we are all personally accountable…”

    If you address it as a team problem and the team can pull together and fix it- people might listen.

    I doubt they will fire you for speaking up. So the next major hurdle is being the lone voice in the wilderness. Just keep saying it over and over. Yeah, it is going to feel lonely, being the only person saying this- but you are right. So just hold your ground…

    I think we have people on this blog that can give you some great links to chose from. Print out the best of the best and give them to your boss.

    1. Anonymous*

      Mat Honan. The story hit last year about hackers getting some info, not even a password OR a SSIN, and hacked his Amazon and Apple accounts, who then deleted everything on his Apple devices, including baby pictures of hid kid. He writes for Wired, I had to look up the story, but even without a name it was easy to find the story again.

      1. Anonymous*

        Needed to add: While it wasn’t clear protocol wasn’t followed in his case, the fact they found you can still do it after he informed the companies involved of what had happened meant there was a failure somewhere.

  11. darsenfeld*

    My honest view here is to find another job.

    It’s seems apparent to me that:

    – The culture in your department and even wider organisation is corrupted. It seems your managers, for whatever reason, don’t seem to give a damn.

    – I don’t think you’ll be criminally liable, and if anything if you get sent home then all of your department (including your managers too) should also be fired. If anything, you cannot be solely fired if all others are violating the policy.

    It is possible that your managers are receiving a directive from top management, and for whatever reason (most likely confidentiality) they cannot disclose it with other parties. However, it is possible that the issue is more sinister than one may perceive.

  12. GettinThrough*

    Forget it. You should NEVER have brought the issue up to begin with. Not that it was wrong to do so, but because the upper culture of CIO’s, exec’s, etc’s… are too full of themselves to even tolerate a single critisizm about their network. They know their network is at risk, that’s why they didn’t answer you! All you have done is let them know is that you are aware of it. Guess what? You are the NEW liability. Time to polish your resume.

    1. Jamie*

      There are as many kinds of people in upper level management as there are upper level managers. Some are excellent at what they do, some suck, and the vast majority occupy space somewhere in the middle of the extremes.

      Bitterness toward an entire level of colleague can really hurt a career.

Comments are closed.