A reader asks:
My company has a written security policy requiring us to authenticate all requests we receive by phone or email before acting on the request or releasing any non-public information. This is a good policy, and necessary to protect both my company and our clients. All employees were required to sign an acknowledgement that we are aware of the policy.
Unfortunately, this policy is completely, totally, 100% ignored in my department. It's not merely that we don't follow it. It's that absolutely no means exists by which we could follow it. There is no method whatsoever available to us to confirm that anyone who calls or writes really is who they claim to be -- we take their word for it because we really have no alternative (unless doing absolutely no work could be considered an alternative).
Needless to say, this is a security vulnerability just waiting to blow up in our faces. I've mentioned it in email to both of my managers, and both of them failed to reply. Now, to my question (a 2-parter):
1. Is there some way I can approach this with management to get some action? I would like us to move toward a place where we can authenticate people and act in a way that protects both us and our clients. I see no progress (or even attempts at progress) on that front.
2. What steps do I need to take to protect myself? Sooner or later, an information leak is going to occur (assuming it has not happened already), and I don't want to lose my job, or worse, be legally liable. With every call and email I respond to, I am in violation of a written company policy. Unfortunately, I have no alternative, as no authentication mechanism exists, and it's impossible to perform any aspect of my job without responding to calls and emails.
It’s bad enough when companies have policies that they don’t bother to follow, and it’s even worse when the policy is an important one.
Start by talking with your manager. You say that you mentioned it in an email and got no response – but that’s not really the same as talking about it. Email is easy to inadvertently ignore or overlook, and it’s not well suited for important conversations.
So talk face-to-face. But when you do, it’s important to realize that your managers may have a different outlook on this than you do. They may have assessed the risk, assessed the resources needed to put in place a mechanism to allow you to authenticate people, and decided that – for right now, at least – the better business decision is to live with not being able to authenticate. And if that’s the case, chances are fairly good (although not certain) that they didn’t make this decision on their own, but with the involvement of people above them. In other words, it’s possible this is a deliberate trade-off that the company is making right now.
Or, that might not be the case at all. This might truly be an urgent issue that would be addressed immediately if the proper person knew about it. But because you don’t have the same context as your managers have, you shouldn’t default to assuming the latter – you want to account for both possibilities as you proceed.
That means that while you should absolutely talk with your managers about this, you should do so not with a tone of “this is an urgent crisis that you’re neglecting!” but rather a tone of “this has been concerning me and I wanted to talk to you about it.”
If you talk with them and are told that they’re aware of the situation but that they’ve decided it’s okay not to enforce the policy for now, then it’s reasonable to say something like, “I feel a bit odd violating a written company policy with all the calls and emails I respond to, and I worry about being held accountable for that if an information leak does occur at some point. Would it be possible to update the policy so that it reflects how we’re actually working, so that we’re not in the uncomfortable position of doing the opposite of what it says?”
If they’re good managers, they should agree with you on the need to do this. But if they don’t, you can document your conversation by sending them an email afterwards, saying something like, “I want to confirm that we talked today about our policy on authentication and the fact that we can’t currently authenticate customer calls and emails. I’ll be following your guidance not to worry about authenticating until/unless I hear otherwise. Thanks for talking with me about it!”
That might be the best outcome that you can hope for in this situation, but at least you’ll have raised the issue to the attention of the appropriate people and covered yourself in the event of a future problem.