In-depth

Is your security policy a no-brainer?

Davey Winder explains why having a robust security policy, that everyone follows, is a must for the enterprise

My recent column about how throwing money at the problem isn't the answer to the IT security question in the enterprise has certainly ruffled a few feathers, particularly among those with a vested vendor interest.

My hypothesis was accused of being too simplistic, and that if I were to consider things with a little more breadth and depth I would reach the inevitable conclusion that tight budgets are the root of all that is evil as far as data insecurity is concerned.

After all, how could I even start to counter the argument that budget constraints mean innovative and more efficient security solutions are being overlooked?

Here's how. I have on my desk a piece of research which suggests that when it comes to 'desk-based workers' in the UK and US, as many as 70 per cent have no idea who to report a security breach to.

Advertisement
Advertisement - Article continues below

Let's shuffle that a bit and see if it sounds any better: around a third of workers know who to contact within the organisation if they suspect a device has been subject to a security breach.

Nope, sounds just as bad too me. OK, I have to use the 'admittedly clause' as there's yet another vendor with something to sell involved here, but this does mirror my own experience of working with organisations within the SMB space.

The vendor was using the research to market an access management solution off the back of these results and others suggesting the same workers are ignorant about the risks of sharing logins, will IT professionals continue to overlook the problem of insider threats.

That vendor, IS Decisions, calls it "a shocking deficiency in effective training" and I agree. However, it cuts deeper than that. It's also a shocking misunderstanding of security basics and all too common, if my experiences over the last twenty years are anything to go by, where policy is considered something that managers create and workers ignore.

This may be vaguely acceptable if said policy concerns the colour of employee socks or how many loo breaks they're allowed per working day, but when it comes to the enterprise's security posture, that's a different matter.

So the vendor press release failed to hit the intended target as I didn't come away after reading it thinking that organisations need yet another layered user access management system, but that such things are pointless if the policy that underpins everything is badly drawn up and even more poorly implemented.

The problem with many IT security policy documents is that they are seen as just a piece of paper, when they need to be a living and breathing portrait of your understanding of risk.

The larger the enterprise, the better this is understood and that has nothing to do with budget and everything to do with the culture of security thinking. Best practice and education are all too often sacrificed to the Gods of insufficient time and will as you move down the enterprise scale.

Every enterprise benefits from having a formal, properly implemented IT security policy. I am inclined to think this has not a lot to do with rules and regulations, permissions and process, but relates to thinking. And by that I mean "thinking" about what data security really means to your business.

The act of creating a written, structured response to those needs, from top to bottom, is both an eye-opener and a potential business saver.

Advertisement
Advertisement - Article continues below

Think about what a security policy actually is and, once stripped back to the basics, you realise it's nothing more than a commitment to protect all the data that a firm creates and uses.

It's not something that you can delegate, that's security suicide, but it's something you have to take responsibility of as an organisation.

Get to grips with that concept and things like ensuring all employees are on-board, educated and aware become an organic part of your business process.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354195/where-modernisation-and-sustainability-meet-a-tale-of-two
Sponsored

Where modernisation and sustainability meet: A tale of two benefits

25 Nov 2019