The Role Of Policies In Driving ‘Secured Productivity’

Don’t hide behind your users if your security and privacy policy is a weak link.  

For anyone who has completed their annual analysis of internal security events, it surely came as no surprise when Verizon reported that in 2022, 82% of breaches involved human elements, including social attacks, errors, and misuse. 

Alerts reporting cyber attacks from criminals who have succeeded in exploiting employee user accounts and devices have become a staple diet in today’s business news.

The ripple effect when these attacks have been perpetrated against software vendors or IT service providers is immeasurable. Especially, when their respective customers must frantically design and deploy their own countermeasures against the threat of ‘back-door-attacks’. Cyber criminals now operate highly sophisticated organizations with a variety of low-cost, readily available hacking tools. By using increasingly refined attack playbooks, cyber criminals are now ransacking all the personal and shared mailboxes to which the user account they have managed to compromise has access to in a matter of minutes.  

So, no matter how much you invest in incident detection and response, it is evident that preventative measures focused on user behavior are critical to your resilience against many cyber attacks.  

While each security or privacy incident may seem different, their causes often trace back to weak information security and data protection policies. As a result, security professionals are forced to rethink the policies they have in place and seal the cracks in their systems to protect their data, people, and the overall company.   

But Where Do Security Professionals Begin?  

Take a hard look at your existing policy and ask yourself what you are really trying to achieve. Does your current policy deliver ‘information for action’ for front-line data processors? Does it arm users with universal instructions, so they know how to act to prevent data breaches or immediately report a suspected security or privacy event? 

A common mistake in many policies is the use of overcomplicated legal language. If a policy is designed to be robust in a court of law, it has inadvertently pitted your organization against its users. In other words, you shouldn’t want to conclude that every user represents an insider threat but instead focus on the aim of enabling trusted and respected specialists to champion ‘secure productivity’.  

Similarly, another flaw in policy design is the inclusion of insights into the methods and governance structure of your security and privacy team. While transparency is vital to build and retain the trust of team members across the business, there are multiple forums such as SharePoint sites, roadshows, or one-to-one sessions where you can provide users with granular insight into how your team does its job.  

Many organizations still maintain governance structures in which information security and data protection are separated by departmental boundaries, each with their own stand-alone policies. In practice, however, security and privacy aspects converge in the secured handling of data and resolution of any potential data breach. Accordingly, security and privacy should always be treated as two sides of the same ‘data protection’ coin.  

How Does A Company Deliver A Strong Security & Privacy Policy?  

Providing evidence of internal security and privacy training completion has become a global requirement for any service provider who processes personal data. When selecting your training tool, the ease with which you can extract records of your organization’s training completion rate should be a key criterion. Not only will this significantly reduce the time your team must spend extracting evidence for training completion requests from customers or external auditors, but it will also increase your team’s ability to drive completion rates through ongoing monitoring and targeted interventions.   

Building a security and privacy policy in tandem with training will focus and streamline the ‘information for action’ a global user base will need to understand and reliably follow your mission-critical instructions. 

If the goal is to enable ‘secured productivity’, the security and privacy policy must tell the user community what they are and aren’t allowed to do in the most simple and clear terms, while being considerate of the productivity requirements associated with their respective roles. For instance, if a policy instructs users not to use certain systems such as unauthorized third-party tools to share confidential data, it must guide them to the appropriate and authorized solutions with which they can meet their business needs. Otherwise, users will either find a ‘workaround’ which poses a new security or privacy risk such as increasing the prevalence of shadow IT or the misuse authorized tools.

Your users may also be more inclined to knowingly commit a policy violation but feel justified in doing so on the grounds that they felt like they had no other choice but breach policy to complete their business-critical task.  

One critical step to achieve the right pitch and scope in a security and privacy policy is to always draft and update the policy in tandem with role-based instructions. This allows a company to drill down and issue task-specific security and privacy rules that are baked into the day-to-day technology-enabled business processes. It also enables a business to provide specialists in those functions with tailored risk awareness.  

Having a strong information security and data protection policy is one of the baseline requirements of any business which is intent on being future-proof. However, if you expect your policy to help drive ‘secured productivity’, it must enable your global user community to achieve their business needs in a secured manner, as part of a wider enablement framework which includes training and role-based instructions. 

Dr. Scott Richardson is CSO of Crayon

You Might Also Read: 

No Slack In The System:

 

« Resilience Is Essential To Protecting Critical Infrastructure
The Current Market For Cyber Security Founders & Investors »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Cortado Mobile Solutions

Cortado Mobile Solutions

Cortado Mobile Solutions is the manufacturer of the mobile device management solution Cortado MDM.

Marsh

Marsh

Marsh is a global leader in insurance broking and risk management and has been a leader in combatting cyber threats since their emergence.

MACH37

MACH37

MACH37 is a market-centric cybersecurity accelerator program designed to facilitate the creation of the next generation of cybersecurity product companies.

CyberGreen Institute

CyberGreen Institute

The CyberGreen Institute is a global non-profit and collaborative organization conducting activities focused on helping to improve the health of the global Cyber Ecosystem.

Institute for Cybersecurity & Privacy (ICSP) -  University of Georgia

Institute for Cybersecurity & Privacy (ICSP) - University of Georgia

The goal of ICSP is to become a state hub for cybersecurity research and education, including multidisciplinary programs and research opportunities, outreach activities, and industry partnership.

Cryptovision

Cryptovision

Cryptovision GmbH is one of the leading specialists for modern, user-friendly cryptography and solutions for secure electronic identities.

SafeLogic

SafeLogic

SafeLogic provides strong encryption products for solutions in mobile, server, Cloud, appliance, wearable, and IoT environments that are pursuing compliance to strict regulatory requirements.

Cyscale

Cyscale

Cyscale automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Open Systems

Open Systems

Open Systems is a Secure Access Service Edge (SASE) pioneer delivering a complete solution to network and security.

North American International Cyber Summit

North American International Cyber Summit

The North American International Cyber Summit brings together experts from around the globe to provide timely content and address a variety of cybersecurity issues impacting the world.

Pathway Communications

Pathway Communications

Established in 1995, Pathway Communications – is part of the Pathway Group of Companies, a Canadian IT Managed Services organization.

Salem Cyber

Salem Cyber

Salem Cyber builds Artificial Intelligence (AI) solutions that work collaboratively with people to address scalability challenges in cybersecurity operations.

Artjoker

Artjoker

Artjoker is a full cycle software development partner specialized in Blockchain projects and smart contract development including full cycle information security of all projects.

CampusGuard

CampusGuard

CampusGuard focuses on the cybersecurity and compliance needs of campus-based organizations including higher education, healthcare, and state and local government.

ViCyber

ViCyber

ViCyber is an Australian based company whose mission is to simplify and strengthen cybersecurity for all businesses, irrespective of size.

Swick Technologies (SWICKtech)

Swick Technologies (SWICKtech)

SWICKtech offer IT managed services to increase IT security, stability, and performance for your organization.