IT security is hard. As Futurice has grown, we have had our (very small) share of security related incidents. Shifting financial responsibility with contracts is easy, but that is not helping with lost trust and reputation. For our own employees, we have extensive multi-day onboarding, which includes security training. Also, all laptops are installed and configured by the IT team, including disk encryption, backups and antivirus.
However, when we employ subcontractors, they usually use their own laptops and phones, and they don’t participate in our onboarding sessions. We tell our clients when we have subcontractors in the project, but we also carry full responsibility for oursubcontractors’ actions. If the subcontractor messes something up, from our client’s perspective it’s same as if it would have been a Futurice employee – we will do our best to fix the damages, and take the financial and reputation hit. Obviously, we have formal contracts and NDAs with subcontractors, and afterwards we can figure out damages and compensation with them.
Even if Futurice wouldn’t take any financial hit, being trustworthy is important. Just writing a solid contract and having good insurance do not compensate for lost time, confidence and confidentiality.
Formal contracts tend to be hard to follow and relatively abstract, so we created more informal IT security 101 and intellectual property rights (IPR) 101 agreements, which detail practical rules and guidelines in human-readable form. Below are our current IT security 101 guidelines. And to reiterate, the point with these is to push people towards good practices, and not to be legally binding – which is why we didn’t include anything about damages or other legal details.
I hereby declare that I’ve understood and will follow what is stated above:
Futu Connect is our semi-regular roundup of all things Futurice. Be in the know about career-changing events, industry-leading content, non-profit passion projects, and an ever-changing job board.
Enter your email address below.