IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
In-depth

Is your security policy a no-brainer?

Davey Winder explains why having a robust security policy, that everyone follows, is a must for the enterprise

My recent column about how throwing money at the problem isn't the answer to the IT security question in the enterprise has certainly ruffled a few feathers, particularly among those with a vested vendor interest.

My hypothesis was accused of being too simplistic, and that if I were to consider things with a little more breadth and depth I would reach the inevitable conclusion that tight budgets are the root of all that is evil as far as data insecurity is concerned.

After all, how could I even start to counter the argument that budget constraints mean innovative and more efficient security solutions are being overlooked?

Here's how. I have on my desk a piece of research which suggests that when it comes to 'desk-based workers' in the UK and US, as many as 70 per cent have no idea who to report a security breach to.

Let's shuffle that a bit and see if it sounds any better: around a third of workers know who to contact within the organisation if they suspect a device has been subject to a security breach.

Nope, sounds just as bad too me. OK, I have to use the 'admittedly clause' as there's yet another vendor with something to sell involved here, but this does mirror my own experience of working with organisations within the SMB space.

The vendor was using the research to market an access management solution off the back of these results and others suggesting the same workers are ignorant about the risks of sharing logins, will IT professionals continue to overlook the problem of insider threats.

That vendor, IS Decisions, calls it "a shocking deficiency in effective training" and I agree. However, it cuts deeper than that. It's also a shocking misunderstanding of security basics and all too common, if my experiences over the last twenty years are anything to go by, where policy is considered something that managers create and workers ignore.

This may be vaguely acceptable if said policy concerns the colour of employee socks or how many loo breaks they're allowed per working day, but when it comes to the enterprise's security posture, that's a different matter.

So the vendor press release failed to hit the intended target as I didn't come away after reading it thinking that organisations need yet another layered user access management system, but that such things are pointless if the policy that underpins everything is badly drawn up and even more poorly implemented.

The problem with many IT security policy documents is that they are seen as just a piece of paper, when they need to be a living and breathing portrait of your understanding of risk.

The larger the enterprise, the better this is understood and that has nothing to do with budget and everything to do with the culture of security thinking. Best practice and education are all too often sacrificed to the Gods of insufficient time and will as you move down the enterprise scale.

Every enterprise benefits from having a formal, properly implemented IT security policy. I am inclined to think this has not a lot to do with rules and regulations, permissions and process, but relates to thinking. And by that I mean "thinking" about what data security really means to your business.

The act of creating a written, structured response to those needs, from top to bottom, is both an eye-opener and a potential business saver.

Think about what a security policy actually is and, once stripped back to the basics, you realise it's nothing more than a commitment to protect all the data that a firm creates and uses.

It's not something that you can delegate, that's security suicide, but it's something you have to take responsibility of as an organisation.

Get to grips with that concept and things like ensuring all employees are on-board, educated and aware become an organic part of your business process.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022
Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
Electrical explosion reported at Google's Iowa data centre
data centres

Electrical explosion reported at Google's Iowa data centre

9 Aug 2022