October is "cyber security awareness month" in the US and across the European Union. We're marking this with a series of posts designed to help you talk to your executive team about security. Given the number of high profile breaches in the past year alone, the C-suite and Board are starting to pay attention to cyber security and the potential business risk in terms of liability, loss of reputation, and revenue impact. To help you start discussing these issues with the executive team, we're providing five posts through October, covering why security matters now; data custodianship; how organizations can make security into a strength and advantage; building security into the corporate culture through policies and user education; and crisis communications and response.
If you're interested in more on security awareness, check out this series of primers designed to help you educate your users on the risks they face daily, and how to protect themselves, which covers phishing, mobile threats, basic password hygiene, avoiding cloud crises, and the value of vigilance.
This week, let's talk about security policies and why they matter.
As a business leader you probably do a great deal of work on the road or at remote locations, as do many of your employees. While mobility increases productivity, it greatly increases the risk of data loss to your organization. Virtual workplaces are abundant: Homes, coffee shops, restaurants, airports, and other public locations all serve as convenient remote offices. Unfortunately that means that employees are accessing company information from insecure networks—but in many cases, they may not realize why or how their behavior increases liability for you, their employer.
Uninformed employees are a significant risk to the organization, risk that can be managed with security policies to clearly outline what behaviors are (or aren't) acceptable from a security context. Policy is an effective educational tool, behavior deterrent, and in some cases a first-line defense against employee-induced risk to the business.
Employees are stewards of corporate data — they need to be trained and empowered to work safely and efficiently.
A security policy is critical to protecting corporate assets. The consequences of insufficient organizational security can be substantial: Security breaches, loss of sensitive data, punitive fines, embarrassment and loss of customer confidence. That said, your organization's security policy sets the tone for proper security practices that all employees and business partners abide by. If followed—and that is a key point—the policy helps mitigate security risk.
What should you keep in mind when developing security policies?
- Enforceability - Do not create a policy that you cannot or will not enforce. The IT and security teams need the support, tools and processes in place to monitor alignment to the policy.
- Exceptions - The saying goes that there are exceptions to every rule - thus there are likely exceptions to every policy. Create a policy exception process to review, approve, and monitor exceptions within your organization.
- Policies and Standards - Policies, by definition, are general and high-level statements. The specific details and controls necessary to satisfy a policy should be contained within security standards, resulting in less frequent policy updates.
- Accessibility - Your policies will not be successful if your employees never see them! Keep your policies in a location that is accessible to all employees and be sure to communicate changes and updates when they occur.
Employee adoption makes or breaks your policies. Your employees are the key to the success of security controls, and need to be educated and reminded of the importance of information security. Regular, recurring security awareness training is an essential part of any cyber security policy program. Security policies should be included in new employee training and in recurring awareness campaigns.
The role of executive management
Executive commitment is one of the most important factors to the success of a security program. Executives that understand and support security policy make well-informed and risk-based decisions. As an executive you should be engaged in, and supportive of, security policies and set the tone by example at the top. Talk about security in your meetings and town halls. Practice good security yourself. Employees will follow your lead. While executive commitment does not guarantee success, its absence can certainly increase the likelihood of failure.
Organizations should adopt security policies and integrate them into all of their business functions or risk immeasurable loss and consequences. Executives: be a security hero and role model. Set expectations for secure behavior, policy compliance and follow through with frequent and recurring communication. Your security policies can help prevent potentially disastrous consequences.