In our knowledge-based economy, many organizations place intellectual property among their most valuable business assets. Firms seeking to ensure their competitive advantage must control access to information to ensure their ongoing survival. Protecting confidential information involves more than just technical controls. It also requires clear policies and sound business processes that allow those policies to be implemented. Developing and implementing these policies and processes can protect an organization against security incidents.

For example, a chemical company may have a policy that states that only those employees with a legitimate purpose can enter the laboratories (labs). This policy should ensure that secret chemical formulas are not leaked to unauthorized personnel. For this policy to be effective, it must be enforced by a combination of controls. The firm may use technical measures such as a radio-frequency identification (RFID)-enabled badge reader, combined with administrative measures, such as training employees to scrutinize the identity badges of people they don’t recognize. A policy cannot prevent an information leak if employees regularly hold open the lab doors and allow each other to enter without swiping their ID badge, a threat known as piggybacking.

As with any policy-based initiative, access control policies will be effective only if they have the explicit and implicit support of senior executives. When organizations first issue access control policies, they should consider asking a very senior executive to send the message communicating the policy. This is especially important if the policy requires employees to engage in unpopular or inconvenient behaviors. Similarly, senior managers must serve as models of policy adherence. If the CEO is seen holding the door open for other people, rather than expecting them to swipe their badge, or asking that policy be implemented differently or waived for him due to his position, line staff will assume that this is acceptable and will do the same thing. Before you know it, piggybacking will move from being a security risk to a standard practice.