In-depth

Is your security policy a no-brainer?

Davey Winder explains why having a robust security policy, that everyone follows, is a must for the enterprise

My recent column about how throwing money at the problem isn't the answer to the IT security question in the enterprise has certainly ruffled a few feathers, particularly among those with a vested vendor interest.

My hypothesis was accused of being too simplistic, and that if I were to consider things with a little more breadth and depth I would reach the inevitable conclusion that tight budgets are the root of all that is evil as far as data insecurity is concerned.

Advertisement - Article continues below

After all, how could I even start to counter the argument that budget constraints mean innovative and more efficient security solutions are being overlooked?

Here's how. I have on my desk a piece of research which suggests that when it comes to 'desk-based workers' in the UK and US, as many as 70 per cent have no idea who to report a security breach to.

Let's shuffle that a bit and see if it sounds any better: around a third of workers know who to contact within the organisation if they suspect a device has been subject to a security breach.

Nope, sounds just as bad too me. OK, I have to use the 'admittedly clause' as there's yet another vendor with something to sell involved here, but this does mirror my own experience of working with organisations within the SMB space.

Advertisement
Advertisement - Article continues below

The vendor was using the research to market an access management solution off the back of these results and others suggesting the same workers are ignorant about the risks of sharing logins, will IT professionals continue to overlook the problem of insider threats.

Advertisement - Article continues below

That vendor, IS Decisions, calls it "a shocking deficiency in effective training" and I agree. However, it cuts deeper than that. It's also a shocking misunderstanding of security basics and all too common, if my experiences over the last twenty years are anything to go by, where policy is considered something that managers create and workers ignore.

This may be vaguely acceptable if said policy concerns the colour of employee socks or how many loo breaks they're allowed per working day, but when it comes to the enterprise's security posture, that's a different matter.

So the vendor press release failed to hit the intended target as I didn't come away after reading it thinking that organisations need yet another layered user access management system, but that such things are pointless if the policy that underpins everything is badly drawn up and even more poorly implemented.

The problem with many IT security policy documents is that they are seen as just a piece of paper, when they need to be a living and breathing portrait of your understanding of risk.

Advertisement - Article continues below

The larger the enterprise, the better this is understood and that has nothing to do with budget and everything to do with the culture of security thinking. Best practice and education are all too often sacrificed to the Gods of insufficient time and will as you move down the enterprise scale.

Every enterprise benefits from having a formal, properly implemented IT security policy. I am inclined to think this has not a lot to do with rules and regulations, permissions and process, but relates to thinking. And by that I mean "thinking" about what data security really means to your business.

The act of creating a written, structured response to those needs, from top to bottom, is both an eye-opener and a potential business saver.

Think about what a security policy actually is and, once stripped back to the basics, you realise it's nothing more than a commitment to protect all the data that a firm creates and uses.

It's not something that you can delegate, that's security suicide, but it's something you have to take responsibility of as an organisation.

Get to grips with that concept and things like ensuring all employees are on-board, educated and aware become an organic part of your business process.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/cyber-security/355368/microsoft-builds-ai-to-detect-security-flaws-with-99-accuracy
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020
Visit/security/vulnerability/355276/businesses-brace-for-second-fujiwhara-effect-of-2020-as-patch-tuesday
vulnerability

Businesses brace for second 'Fujiwhara effect' of 2020 as Patch Tuesday looms

9 Apr 2020

Most Popular

Visit/infrastructure/network-internet/355792/intel-releases-wi-fi-and-bluetooth-driver-updates-for
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020
Visit/infrastructure/server-storage/355785/dell-emc-poweredge-r7525-review-an-epyc-core-density-to-make
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Visit/operating-systems/microsoft-windows/355781/microsoft-confirms-further-issues-with-troublesome
Microsoft Windows

Microsoft's latest Windows 10 update is causing yet more issues

26 May 2020