Young Employees and IT Security

Posted on February 10, 2016 by Marijana Dabic

Hiring young employees can bring fresh talent and innovation, giving your company an edge over your competitors. But that edge can quickly be erased, as young workers also bring additional technology risks. According to the 2011 Cisco Connected World Technology Report, a study involving almost 3,000 college students and young professionals under age 30, 70 per cent of young employees frequently ignore their company’s information technology (IT) policies.

Millennials have grown accustomed to sharing everything about their personal lives on Internet sites such as Facebook® and YouTube®. This poses a dilemma for an employer: If young employees don’t safeguard their own personal information, how can you entrust them with your company’s sensitive data? Companies with the need to be Internet-savvy must hire young talent, but are these employees worth the risk?

Eye-opening Statistics

The Cisco report says that 80 per cent of young employees either don’t know about their companies’ IT policies or they think they are outdated. Additionally, 25 per cent of those in the study had been a victim of identity theft before age 30.

Why are young employees negligent about IT security? The study found that some young employees’ attitudes and beliefs towards IT policies include the following:

They forget about the policies.
They think their bosses aren’t watching.
They believe the policies are inconvenient.
They think they don’t have time to remember the policies while they’re working.
They feel the need to access unauthorized programs to get their job done.
They believe security is the IT department’s responsibility, not their own.

Additional Risks to Consider

Young employees can compromise IT security by leaving their computers or other personal devices unattended, increasing the risk that that both the equipment and company data could be lost, stolen or misused. Sending work-related emails to personal email accounts and using computers and social networking sites for both work and personal reasons can also compromise IT security. Millennials are more apt to blur the line between using IT for both personal and work-related purposes, which can increase the risk of negligence.

Consider that not only young employees, but all employees can compromise IT security in the following ways:

USB flash drives. While these are convenient portable devices for storing information, they make it too easy to take sensitive information out of the office and can be misplaced easily because they are so small.
Wi-Fi networks. Whether it’s an employee’s personal Wi-Fi network at home or free Wi-Fi at the local coffee shop, it is important that employees use virtual private network (VPN) and take other security measures when they log in on networks outside of your company.
Laptop computers. Lightweight and handy for working remotely, laptops are also susceptible to viruses from improperly-secured Wi-Fi networks.
Smartphones. They provide information at your fingertips, but are also another portable way to take sensitive data out of the office.
Collaboration websites. Websites, such as a wiki or SharePoint® site, are great tools for employees working together on projects, but it’s critical that only authorized employees are logging in and accessing your company’s projects on these sites.
Social media tools. Sites such as Facebook and Twitter™ can benefit your business; however, negligent use, including sharing critical company information, can be a risk.
Other communication applications, such as peer-to-peer (P2P), Skype and instant messaging tools. These applications can be vectors for malware and a threat to information security.

Employers shouldn’t necessarily prohibit employees from using technology, as this list includes many tools they need to get the jobs done. It’s important to know the risks and educate young employees to use the technology properly.

Mitigating the Risks

Employers must find the balance between allowing young employees to use social networking websites and portable devices to do their jobs, while at the same time protecting company information. Employers should examine their exposures and consider what level of risk they are willing to accept. Other special considerations for managing young employees and mitigating the risk include:

Review your company’s IT policy. If it needs to be updated, ask recent graduates for advice on updating the policy to reflect current changes and trends in IT.
Make sure young employees (and all employees) are aware of your company’s IT policy and the consequences if the policy is not followed.
Create strong, trusting relationships between young employees and your IT department.
Create IT awareness materials so young employees are continually reminded of IT security risks and what they can to do prevent them.
Train new young employees on data protection and IT security risks, and provide refresher training for seasoned employees to ensure everyone is aware of the risks and the importance of safeguarding company information.

The Risks of Telecommuting for Employers

Posted on February 3, 2016 by Marijana Dabic

Allowing employees to work remotely has become increasing popular over the years, as more prospective employees seek the convenience and the work-life balance that telecommuting offers. Telecommuting can generate cost savings, bolster employee morale and help companies attract diverse talent. However, before implementing a telecommuting policy, employers should be aware of the three most common risks.

Productivity and Communication

When employees work off-site and away from management, concerns about workflow and productivity may arise. To address this, communication is key. Not only will consistent check-ins build ongoing relationships, but they will also help remote employees understand what is expected of them.

Network Security

When you give remote employees access to your internal network, you open yourself up to the risk of data breaches. To prevent this, employers should provide secure, company-issued equipment and prohibit administrator privileges.

Social Activities

According to experts, socializing among peers in the workplace is important for morale and trust. Employees who work remotely miss out on these networking opportunities. Holding regular staff meetings that include remote workers will help create a team mentality between on-site and off-site employees. In addition, extending company event invitations to remote employees will make them feel more included.

Although most organizations may treat telecommuting differently, a well-defined remote work policy will set clear expectations for employers and employees. Successful policies should account for the aforementioned risks and can include formal review processes as well as uniform guidelines to determine eligibility.

Ontario’s New JHSC Training Standards Come into Effect March 1, 2016

Posted on January 27, 2016 by Marijana Dabic

On Oct. 1, 2015, the Chief Prevention Officer (CPO) of the Ministry of Labour (MOL) announced new standards for Joint Health Safety Committee (JHSC) member certification and new requirements for organizations that provide JHSC certification training programs. The new standards replace the 1996 Certification Standards (1996 Standards) and become effective March 1, 2016.

New Training Program Standard Requirements

Under the new standards, JHSC members seeking to become certified after March1, 2016, must complete new, more comprehensive training courses. These training courses are separated into three segments: Part 1, Part 2 and refresher training. All three segments of this training must be part of a CPO-approved JHSC program and must be delivered by a CPO-approved JHSC certification training provider.

JHSC members certified under the 1996 Standards before March1, 2016, are not required to complete additional training under the new standards, nor are they required to complete refresher training to maintain their certification.

Starting March 1, 2016, JHSC members who have completed only Part 1 of the certification training under the 1996 Standards will be required to complete Part 2 under the new standards. Additionally, these individuals will need to take refresher training periodically to maintain their certification.

Format of JHSC Training Under New Training Program Standard

Part 1 training involves generic health and safety training that is applicable to all workplaces where a JHSC is required. Part 1 training must consist of at least three days (19.5 hours) of face-to-face instruction, of which, 6.5 hours can be delivered via eLearning. It includes information on the following:

Occupational health and safety laws and regulations;
Rights, duties and responsibilities of workplace parties;
Hazard recognition, assessment, and control and evaluation of hazard controls;
The role and responsibilities of JHSCs;
Duties and responsibilities of JHSC members and certified members; and
Health and safety resources.

Part 2 training focuses on the concepts of hazard recognition, assessment and control of hazards, and evaluation of hazard controls, often referred to as the RACE methodology. This training must also focus on a minimum of six hazards that are relevant to the JHSC member’s workplace. The minimum duration of Part 2 training is two days (13 hours) of face-to-face instruction.

Part 2 training must be completed within six months of completing Part 1 training, subject to a one-time extension granted at the CPO’s discretion.

Refresher training must be completed once every three years by anyone who is JHSC certified under the new standards. This training must entail a minimum of one day (6.5 hours) of face-to-face instruction and include the following:

A review of key concepts from Part 1 and Part 2 training;
Information on relevant updates to legislation, standards, codes of practice, and occupational health and safety best practices; and
The opportunity for certified members to share and discuss best practices and challenges related to workplace health and safety.

Certified JHSC members may request a one-time exemption from refresher training. Exemptions, if approved, would extend the required period for refresher training an additional three years.

New Training Provider Standard

The new standards also set out criteria that training providers must meet in order to deliver a CPO-approved JHSC certification training program. To deliver JHSC Certification Training as of March 1, 2016, all training providers, including existing training providers and potential providers, must apply to the MOL for CPO approval.

Training providers previously approved by the CPO may continue to provide JHSC training under the 1996 Standards until Feb. 29, 2016, but they are required to re-apply for CPO approval and provide certification training after that date.

It should be noted that employers can apply to become approved JHSC certification training providers. Once approved by the CPO, employers can then provide JHSC certification training to their employees.

Additional Information

A list of all CPO-approved JHSC certification training providers will be posted on the MOL website as they are approved.

For additional information on JHSCs or the recent changes made to the certification standards, organizations may visit the MOL’s JHSC website.

New Noise Protection Requirements Extended to Ontario Workplaces

Posted on January 21, 2016 by Marijana Dabic

The Ontario Ministry of Labour recently extended noise protection requirements to all workplaces covered under the Occupational Health and Safety Act. Workplaces covered under the new Noise Regulations include construction sites, health care facilities, schools, farming operations, fire services, police services and amusement parks.

The new regulation, which will come into effect on July 1, 2016, aims to protect workers from noise-induced hearing loss.

Specifically, the new regulation does the following:

Places limits on the length of time workers are exposed to noise, with a maximum exposure limit of 85 decibels over an eight-hour work shift
Requires employers to implement preventive workplace controls (introducing safe work practices, engineering controls, etc.) in order to reduce employee exposure to noise
Requires employers to provide personal protective equipment (like hearing protection devices) and adequate training on its proper usage

In addition, noise protection sections in the Industrial Establishments, Mines and Mining Plants, and Oil and Gas-Offshore regulations have been revoked and are now incorporated into the new Noise Regulations.

The Regulations for Farming Operations was also amended in order to apply the noise regulation to farming operations.

To read the regulation in its entirety, click here.

Cyber Crime’s Forgotten Victim—Your Company’s Reputation

Posted on January 15, 2016 by Marijana Dabic

Even though companies are finally starting to dedicate resources to prepare for cyber attacks, it’s possible that they may be overlooking a key exposure. While internal audits, hardware and software upgrades, and payouts to impacted customers can be costly, those costs can quickly be dwarfed by the damage a cyber attack can do to a company’s reputation.

The Dark Side of Social Media

Social media poses a huge threat to your company’s reputation. In the event of a data breach, traditional media coverage, blog posts and consumer reaction to the breach will dominate discussion of your company’s brand across social media platforms. Social media newsfeeds offer little to no distinction between legitimate news, biased reports, rumors and outright falsehoods, making the problem worse.

Additionally, social media is the perfect battleground for a competing interest to launch an attack on your brand. In fact, a white paper released by Hays suggests that the deliberate spread of false information about companies could be part of the next wave of cyber attacks launched by foreign governments.

Managing Your Reputation

In the wake of a cyber attack, it’s important to have a social media strategy in place and ready to roll out, as well as a team dedicated to monitoring social media in order to dispel any rumors and clarify any falsehoods. It’s also important to consider all avenues for mitigating your risk.