Security policies. You’ve got yards of them, right? Fire, flood, terrorism, four horsemen of the apocalypse – pretty much everything’s covered. So you save the documentation, breathe a sigh of relief and get back to the business of doing business.

And that’s where the potential problems start. That file ‘em and forget ‘em attitude which abounds in companies of every size and significance. The point about security policies is not that it’s OK because they exist. Like any laws, they have to be workable and enforceable. Just as importantly, they have to be reviewed and updated on a regular basis.

What we’re talking about here is the difference between theory and practice. It is one thing to say X or Y shall happen in any given situation, quite another to actually get it to happen. That’s why we have fire drills, isn’t it? So everyone knows how to act and react when the alarm bell rings.

If that simple expedient were applied to other threats in the workplace, many security incidents would be a great deal easier to manage. A specific case would be those involving the computer-related technologies upon which all commerce now relies.

Yet what really happens when a computer incident blows up? Apart from calling someone in the IT department to have a look at it, that is. Who monitors the situation? What is the line of command? Does anyone have a clue what to do when information suddenly becomes evidence?

These considerations fall into the ‘workable’ aspect of this argument. While most people interpret ‘workable’ as ‘what the staff will accept’, that is only one side of the story. If there is no clear structure for incident handling, a contingency plan will fail. That’s if there is such a plan in the first place. Back to the fire and flood scenario. Most organisations will have calculated the risk of such disasters striking and have sorted some scheme to both mitigate losses and keep on trading. Hopefully, they will also have a similar scheme for accidental data loss or computer system failure. But what about data theft and computer misuse? What of these acts, which are far more likely to be perpetrated from the inside than by random hackers?

A perennial problem in a large number of companies today is that the security policies which are supposed to deal with these situations actually don’t. What they do is sketch out some regulations and hint at possible retribution for non-compliance. All too frequently, there’s no contingency plan. No indication as to who does what in which department when. As a result, no-one knows whether a staff-related computer incident is an IT issue or a Human Resources issue. No-one knows when to involve management or when to tell the PR people to batten down the hatches against possible press leaks.

A similar predicament applies to the enforcement side of things. It is frequently unclear what will be enforced, how and when. The vague wording present in many policies does not help, here. The inconsistent application of perceived punishments goes on to make matters worse.

The primary aim of computer security is the protection of data. This is not just a legal requirement, it’s what underpins a company’s ability to strive and survive in the marketplace. Information is an organisation’s most valuable asset. It’s also the one which most easily goes walkabout. The reason has less to do with the inherent flakiness of digital systems than that of the people who operate them. Investing in security hardware and software, therefore, is only a partial answer. Raising security awareness amongst staff also has a crucial role to play. Involving them in development and drafting of security policies has the benefit of helping them to understand why they are necessary.

As well as being an inclusive exercise, reviewing security policies has the advantage of encouraging a certain amount of stock taking. Where the company was last year is different to where it is now and looking at the changes will help identify what new measures may need to be considered. A regular overhaul, then, will prevent policies from getting left behind as businesses grow. It’ll remind everyone to write the latest and greatest gadgetry into the security equation, too. Wireless, Bluetooth, thumb drives, iPods – the range of wonders ready to knock holes in the data defences gets wider by the hour. We want to own them. We’d like to work with them. Finding ways of doing that without compromising the rest of the system is one of the more serious challenges of the age.

To paraphrase the famous saying: the price of security is eternal vigilance. It’s a maxim which should be engraved on the door posts of every self respecting enterprise. So drag out the policies, dust them off and update them. But don’t then stuff them into a virtual drawer and walk away. For just when you think it’s safe to go back into the water, you’ll find something’s lurking in the surf.