In-depth

Is your security policy a no-brainer?

Davey Winder explains why having a robust security policy, that everyone follows, is a must for the enterprise

My recent column about how throwing money at the problem isn't the answer to the IT security question in the enterprise has certainly ruffled a few feathers, particularly among those with a vested vendor interest.

My hypothesis was accused of being too simplistic, and that if I were to consider things with a little more breadth and depth I would reach the inevitable conclusion that tight budgets are the root of all that is evil as far as data insecurity is concerned.

After all, how could I even start to counter the argument that budget constraints mean innovative and more efficient security solutions are being overlooked?

Here's how. I have on my desk a piece of research which suggests that when it comes to 'desk-based workers' in the UK and US, as many as 70 per cent have no idea who to report a security breach to.

Let's shuffle that a bit and see if it sounds any better: around a third of workers know who to contact within the organisation if they suspect a device has been subject to a security breach.

Nope, sounds just as bad too me. OK, I have to use the 'admittedly clause' as there's yet another vendor with something to sell involved here, but this does mirror my own experience of working with organisations within the SMB space.

The vendor was using the research to market an access management solution off the back of these results and others suggesting the same workers are ignorant about the risks of sharing logins, will IT professionals continue to overlook the problem of insider threats.

That vendor, IS Decisions, calls it "a shocking deficiency in effective training" and I agree. However, it cuts deeper than that. It's also a shocking misunderstanding of security basics and all too common, if my experiences over the last twenty years are anything to go by, where policy is considered something that managers create and workers ignore.

This may be vaguely acceptable if said policy concerns the colour of employee socks or how many loo breaks they're allowed per working day, but when it comes to the enterprise's security posture, that's a different matter.

So the vendor press release failed to hit the intended target as I didn't come away after reading it thinking that organisations need yet another layered user access management system, but that such things are pointless if the policy that underpins everything is badly drawn up and even more poorly implemented.

The problem with many IT security policy documents is that they are seen as just a piece of paper, when they need to be a living and breathing portrait of your understanding of risk.

The larger the enterprise, the better this is understood and that has nothing to do with budget and everything to do with the culture of security thinking. Best practice and education are all too often sacrificed to the Gods of insufficient time and will as you move down the enterprise scale.

Every enterprise benefits from having a formal, properly implemented IT security policy. I am inclined to think this has not a lot to do with rules and regulations, permissions and process, but relates to thinking. And by that I mean "thinking" about what data security really means to your business.

The act of creating a written, structured response to those needs, from top to bottom, is both an eye-opener and a potential business saver.

Think about what a security policy actually is and, once stripped back to the basics, you realise it's nothing more than a commitment to protect all the data that a firm creates and uses.

It's not something that you can delegate, that's security suicide, but it's something you have to take responsibility of as an organisation.

Get to grips with that concept and things like ensuring all employees are on-board, educated and aware become an organic part of your business process.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021
Biden nominees highlight tough cyber security challenges
cyber security

Biden nominees highlight tough cyber security challenges

20 Jan 2021
Report: Security staff excluded from app development
cyber security

Report: Security staff excluded from app development

20 Jan 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

20 Jan 2021

Most Popular

Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021