I've discussed written security policies in the past—every business needs to have a set in place. If you don't have a written security policy, your employees remain the biggest security risk for your business. If you do have a security policy in place, perhaps it's time to re-examine its wording. Case in point: Elite Web Hosting of Orlando, Florida.
Elite ran a high-income business that hosted Web sites and had a security policy in place, but apparently the policy wasn't explicit enough, and eventually it cost Elite the entire business. A story last week in BusinessWeek revealed that a disgruntled former employee broke into Elite's network back in September and sent defamatory email that said the company was venturing into the porn industry. As a result, customers jumped ship by the dozen, which eventually caused Elite to fold.
Elite took the perpetrator to court, but the company had trouble making the charges stick even though the ex-employee had clearly overstepped reasonable bounds. According to the story, the perpetrator didn't take any action disallowed by company policy. Furthermore, the policy didn't dictate exactly when an ex-employee's network access should be terminated. As a result, the defendant won the case.
Former US Department of Justice (DOJ) prosecutor Bill Cook commented in the BusinessWeek story that the first legal action a company should take against an ex-employee is to obtain a temporary retraining order barring access to company resources. That advice sounds extreme, but it comes from a federal prosecutor; I expect he knows what he's talking about.
Look closely at your company security policy to see whether you've adequately covered the important items. And consider having an attorney experienced in these types of cases look over your policy to ensure you can use it in a court of law, should that need ever arise. Until next time, have a great week.