The Role Of Policies In Driving ‘Secured Productivity’

Don’t hide behind your users if your security and privacy policy is a weak link.  

For anyone who has completed their annual analysis of internal security events, it surely came as no surprise when Verizon reported that in 2022, 82% of breaches involved human elements, including social attacks, errors, and misuse. 

Alerts reporting cyber attacks from criminals who have succeeded in exploiting employee user accounts and devices have become a staple diet in today’s business news.

The ripple effect when these attacks have been perpetrated against software vendors or IT service providers is immeasurable. Especially, when their respective customers must frantically design and deploy their own countermeasures against the threat of ‘back-door-attacks’. Cyber criminals now operate highly sophisticated organizations with a variety of low-cost, readily available hacking tools. By using increasingly refined attack playbooks, cyber criminals are now ransacking all the personal and shared mailboxes to which the user account they have managed to compromise has access to in a matter of minutes.  

So, no matter how much you invest in incident detection and response, it is evident that preventative measures focused on user behavior are critical to your resilience against many cyber attacks.  

While each security or privacy incident may seem different, their causes often trace back to weak information security and data protection policies. As a result, security professionals are forced to rethink the policies they have in place and seal the cracks in their systems to protect their data, people, and the overall company.   

But Where Do Security Professionals Begin?  

Take a hard look at your existing policy and ask yourself what you are really trying to achieve. Does your current policy deliver ‘information for action’ for front-line data processors? Does it arm users with universal instructions, so they know how to act to prevent data breaches or immediately report a suspected security or privacy event? 

A common mistake in many policies is the use of overcomplicated legal language. If a policy is designed to be robust in a court of law, it has inadvertently pitted your organization against its users. In other words, you shouldn’t want to conclude that every user represents an insider threat but instead focus on the aim of enabling trusted and respected specialists to champion ‘secure productivity’.  

Similarly, another flaw in policy design is the inclusion of insights into the methods and governance structure of your security and privacy team. While transparency is vital to build and retain the trust of team members across the business, there are multiple forums such as SharePoint sites, roadshows, or one-to-one sessions where you can provide users with granular insight into how your team does its job.  

Many organizations still maintain governance structures in which information security and data protection are separated by departmental boundaries, each with their own stand-alone policies. In practice, however, security and privacy aspects converge in the secured handling of data and resolution of any potential data breach. Accordingly, security and privacy should always be treated as two sides of the same ‘data protection’ coin.  

How Does A Company Deliver A Strong Security & Privacy Policy?  

Providing evidence of internal security and privacy training completion has become a global requirement for any service provider who processes personal data. When selecting your training tool, the ease with which you can extract records of your organization’s training completion rate should be a key criterion. Not only will this significantly reduce the time your team must spend extracting evidence for training completion requests from customers or external auditors, but it will also increase your team’s ability to drive completion rates through ongoing monitoring and targeted interventions.   

Building a security and privacy policy in tandem with training will focus and streamline the ‘information for action’ a global user base will need to understand and reliably follow your mission-critical instructions. 

If the goal is to enable ‘secured productivity’, the security and privacy policy must tell the user community what they are and aren’t allowed to do in the most simple and clear terms, while being considerate of the productivity requirements associated with their respective roles. For instance, if a policy instructs users not to use certain systems such as unauthorized third-party tools to share confidential data, it must guide them to the appropriate and authorized solutions with which they can meet their business needs. Otherwise, users will either find a ‘workaround’ which poses a new security or privacy risk such as increasing the prevalence of shadow IT or the misuse authorized tools.

Your users may also be more inclined to knowingly commit a policy violation but feel justified in doing so on the grounds that they felt like they had no other choice but breach policy to complete their business-critical task.  

One critical step to achieve the right pitch and scope in a security and privacy policy is to always draft and update the policy in tandem with role-based instructions. This allows a company to drill down and issue task-specific security and privacy rules that are baked into the day-to-day technology-enabled business processes. It also enables a business to provide specialists in those functions with tailored risk awareness.  

Having a strong information security and data protection policy is one of the baseline requirements of any business which is intent on being future-proof. However, if you expect your policy to help drive ‘secured productivity’, it must enable your global user community to achieve their business needs in a secured manner, as part of a wider enablement framework which includes training and role-based instructions. 

Dr. Scott Richardson is CSO of Crayon

You Might Also Read: 

No Slack In The System:

 

« Resilience Is Essential To Protecting Critical Infrastructure
The Current Market For Cyber Security Founders & Investors »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

TestFort

TestFort

TestFort QA Lab is a specialized software testing company offering independent quality assurance and software testing services.

Kroll

Kroll

Kroll provides clients a way to build, protect and maximize value through our differentiated financial and risk advisory and intelligence.

NovaTech Automation

NovaTech Automation

NovaTech products and services make the world’s power grids and essential process industries more reliable, efficient, sustainable and secure.

European Recruitment

European Recruitment

European Recruitment is an award-winning, international recruitment agency specialising in niche technology areas including Cyber Security.

CipherMail

CipherMail

CipherMail provides email security products which allow organizations world wide to automatically protect their email against unauthorized access both in transit and at rest.

infySEC

infySEC

InfySEC is an information security services organization offering Security Technology services, Security Consulting, Security Training, Research & Development.

iProov

iProov

iProov delivers authentication and verification simply and securely, based on a genuine one-time biometric.

SlowMist

SlowMist

SlowMist is a blockchain ecosystem security company providing cybersecurity audits and protection for leading digital asset exchanges, crypto wallets, public chains, and smart contracts.

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI)

Blockchain Research Institute (BRI) is an independent, global think-tank. We bring together the world’s top global researchers to undertake ground-breaking research on blockchain technology.

Harbor Networks

Harbor Networks

Harbor Networks is a communications systems integrator and managed services provider. We provide business consultation services for voice and data communication technology.

ImmuneBytes

ImmuneBytes

ImmuneBytes is a cutting-edge security startup that aims to provide a secure blockchain environment for a dependable and open Web3 ecosystem.

Kompleye

Kompleye

Kompleye is a recognized cybersecurity and compliance audit organization that offer a comprehensive solution for different industries.

Cygna Labs

Cygna Labs

Cygna Labs is a software developer and one of the top three global DDI (DNS, DHCP, and IP address management) vendors.

Oz Forensics

Oz Forensics

Oz Forensics is a global leader in preventing biometric and deepfake fraud. It is a developer of facial Liveness detection for Antifraud Biometric Software with high expertise in the Fintech market.

WBM Technologies

WBM Technologies

WBM Technologies is a Western Canadian leader in the provision of outcomes-driven information technology solutions.

eGyanamTech (EGT)

eGyanamTech (EGT)

eGyanamTech provides robust security solutions tailored for Operational Technology (OT) and Supervisory Control and Data Acquisition (SCADA) systems used in critical infrastructure systems.