The Role Of Policies In Driving ‘Secured Productivity’

Don’t hide behind your users if your security and privacy policy is a weak link.  

For anyone who has completed their annual analysis of internal security events, it surely came as no surprise when Verizon reported that in 2022, 82% of breaches involved human elements, including social attacks, errors, and misuse. 

Alerts reporting cyber attacks from criminals who have succeeded in exploiting employee user accounts and devices have become a staple diet in today’s business news.

The ripple effect when these attacks have been perpetrated against software vendors or IT service providers is immeasurable. Especially, when their respective customers must frantically design and deploy their own countermeasures against the threat of ‘back-door-attacks’. Cyber criminals now operate highly sophisticated organizations with a variety of low-cost, readily available hacking tools. By using increasingly refined attack playbooks, cyber criminals are now ransacking all the personal and shared mailboxes to which the user account they have managed to compromise has access to in a matter of minutes.  

So, no matter how much you invest in incident detection and response, it is evident that preventative measures focused on user behavior are critical to your resilience against many cyber attacks.  

While each security or privacy incident may seem different, their causes often trace back to weak information security and data protection policies. As a result, security professionals are forced to rethink the policies they have in place and seal the cracks in their systems to protect their data, people, and the overall company.   

But Where Do Security Professionals Begin?  

Take a hard look at your existing policy and ask yourself what you are really trying to achieve. Does your current policy deliver ‘information for action’ for front-line data processors? Does it arm users with universal instructions, so they know how to act to prevent data breaches or immediately report a suspected security or privacy event? 

A common mistake in many policies is the use of overcomplicated legal language. If a policy is designed to be robust in a court of law, it has inadvertently pitted your organization against its users. In other words, you shouldn’t want to conclude that every user represents an insider threat but instead focus on the aim of enabling trusted and respected specialists to champion ‘secure productivity’.  

Similarly, another flaw in policy design is the inclusion of insights into the methods and governance structure of your security and privacy team. While transparency is vital to build and retain the trust of team members across the business, there are multiple forums such as SharePoint sites, roadshows, or one-to-one sessions where you can provide users with granular insight into how your team does its job.  

Many organizations still maintain governance structures in which information security and data protection are separated by departmental boundaries, each with their own stand-alone policies. In practice, however, security and privacy aspects converge in the secured handling of data and resolution of any potential data breach. Accordingly, security and privacy should always be treated as two sides of the same ‘data protection’ coin.  

How Does A Company Deliver A Strong Security & Privacy Policy?  

Providing evidence of internal security and privacy training completion has become a global requirement for any service provider who processes personal data. When selecting your training tool, the ease with which you can extract records of your organization’s training completion rate should be a key criterion. Not only will this significantly reduce the time your team must spend extracting evidence for training completion requests from customers or external auditors, but it will also increase your team’s ability to drive completion rates through ongoing monitoring and targeted interventions.   

Building a security and privacy policy in tandem with training will focus and streamline the ‘information for action’ a global user base will need to understand and reliably follow your mission-critical instructions. 

If the goal is to enable ‘secured productivity’, the security and privacy policy must tell the user community what they are and aren’t allowed to do in the most simple and clear terms, while being considerate of the productivity requirements associated with their respective roles. For instance, if a policy instructs users not to use certain systems such as unauthorized third-party tools to share confidential data, it must guide them to the appropriate and authorized solutions with which they can meet their business needs. Otherwise, users will either find a ‘workaround’ which poses a new security or privacy risk such as increasing the prevalence of shadow IT or the misuse authorized tools.

Your users may also be more inclined to knowingly commit a policy violation but feel justified in doing so on the grounds that they felt like they had no other choice but breach policy to complete their business-critical task.  

One critical step to achieve the right pitch and scope in a security and privacy policy is to always draft and update the policy in tandem with role-based instructions. This allows a company to drill down and issue task-specific security and privacy rules that are baked into the day-to-day technology-enabled business processes. It also enables a business to provide specialists in those functions with tailored risk awareness.  

Having a strong information security and data protection policy is one of the baseline requirements of any business which is intent on being future-proof. However, if you expect your policy to help drive ‘secured productivity’, it must enable your global user community to achieve their business needs in a secured manner, as part of a wider enablement framework which includes training and role-based instructions. 

Dr. Scott Richardson is CSO of Crayon

You Might Also Read: 

No Slack In The System:

 

« Resilience Is Essential To Protecting Critical Infrastructure
The Current Market For Cyber Security Founders & Investors »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Landry & Associates

Landry & Associates

Landry & Associates is a multidisciplinary firm specializing in risk management, performance and technology management.

Security Current

Security Current

Security Current's proprietary content and events provide insight, actionable advice and analysis giving executives the latest information to make knowledgeable decisions.

Quality Professionals (Q-Pros)

Quality Professionals (Q-Pros)

QPros are a recognized leader in providing full-cycle software quality assurance and application testing services.

Prewen

Prewen

Prewen provide solutions to protect sensitive data across the organisation.

Visa

Visa

Visa is a global payments technology company that connects consumers, businesses and banks in more than 200 countries and territories worldwide.

IdenTrust

IdenTrust

IdenTrust enables organizations to effectively manage the risks associated with identity authentication.

Neowave

Neowave

Neowave designs, manufactures and markets strong authentication solutions based on smart card components and digital certificates.

InstaSafe Technologies

InstaSafe Technologies

InstaSafe®, a Software Defined Perimeter based (SDP) one-stop Secure Access Solution for On-Premise and Cloud Applications.

IEEE Cyber Science and Technology Congress (CyberSciTech)

IEEE Cyber Science and Technology Congress (CyberSciTech)

CyberSciTech provides a platform for scientists, researchers, and engineers to share their latest ideas and advances in the broad scope of cyber-related science, technology, and application topics.

Pentera Security

Pentera Security

Pentera (formerly Pcysys) is focused on the inside threat. Our automated penetration-testing platform mimics the hacker's attack - automating the discovery of vulnerabilities.

Open Raven

Open Raven

Open Raven is the cloud native data security platform that prevents breaches driven by modern speed and sprawl. Restore full visibility and regain control within minutes, without agents.

Cyber Protection Group (CPG)

Cyber Protection Group (CPG)

Cyber protection Group specialize in Penetration Testing. We work with enterprise level companies as well as small to medium sized businesses.

NetWitness

NetWitness

NetWitness empowers security teams to rapidly detect today’s targeted and sophisticated attacks with unparalleled visibility.

Triangle

Triangle

Triangle enable innovative business transformation by ensuring critical hybrid infrastructures are optimised, interoperable and secure.

TorchLight

TorchLight

TorchLight designs and manages cybersecurity that moves at the speed of opportunity to defend against business risks and illuminate the path to security.

Executive Operations (EXOP)

Executive Operations (EXOP)

Executive Operations provides 24/7 cyber security staffing - SOC support, compliance, IT help desk & app development. Save 60% with skilled English-speaking teams.