The Role Of Policies In Driving ‘Secured Productivity’

Uploaded on 2022-12-12 in TECHNOLOGY--Resilience, FREE TO VIEW

Don’t hide behind your users if your security and privacy policy is a weak link.  

For anyone who has completed their annual analysis of internal security events, it surely came as no surprise when Verizon reported that in 2022, 82% of breaches involved human elements, including social attacks, errors, and misuse. 

Alerts reporting cyber attacks from criminals who have succeeded in exploiting employee user accounts and devices have become a staple diet in today’s business news.

The ripple effect when these attacks have been perpetrated against software vendors or IT service providers is immeasurable. Especially, when their respective customers must frantically design and deploy their own countermeasures against the threat of ‘back-door-attacks’. Cyber criminals now operate highly sophisticated organizations with a variety of low-cost, readily available hacking tools. By using increasingly refined attack playbooks, cyber criminals are now ransacking all the personal and shared mailboxes to which the user account they have managed to compromise has access to in a matter of minutes.  

So, no matter how much you invest in incident detection and response, it is evident that preventative measures focused on user behavior are critical to your resilience against many cyber attacks.  

While each security or privacy incident may seem different, their causes often trace back to weak information security and data protection policies. As a result, security professionals are forced to rethink the policies they have in place and seal the cracks in their systems to protect their data, people, and the overall company.   

But Where Do Security Professionals Begin?  

Take a hard look at your existing policy and ask yourself what you are really trying to achieve. Does your current policy deliver ‘information for action’ for front-line data processors? Does it arm users with universal instructions, so they know how to act to prevent data breaches or immediately report a suspected security or privacy event? 

A common mistake in many policies is the use of overcomplicated legal language. If a policy is designed to be robust in a court of law, it has inadvertently pitted your organization against its users. In other words, you shouldn’t want to conclude that every user represents an insider threat but instead focus on the aim of enabling trusted and respected specialists to champion ‘secure productivity’.  

Similarly, another flaw in policy design is the inclusion of insights into the methods and governance structure of your security and privacy team. While transparency is vital to build and retain the trust of team members across the business, there are multiple forums such as SharePoint sites, roadshows, or one-to-one sessions where you can provide users with granular insight into how your team does its job.  

Many organizations still maintain governance structures in which information security and data protection are separated by departmental boundaries, each with their own stand-alone policies. In practice, however, security and privacy aspects converge in the secured handling of data and resolution of any potential data breach. Accordingly, security and privacy should always be treated as two sides of the same ‘data protection’ coin.  

How Does A Company Deliver A Strong Security & Privacy Policy?  

Providing evidence of internal security and privacy training completion has become a global requirement for any service provider who processes personal data. When selecting your training tool, the ease with which you can extract records of your organization’s training completion rate should be a key criterion. Not only will this significantly reduce the time your team must spend extracting evidence for training completion requests from customers or external auditors, but it will also increase your team’s ability to drive completion rates through ongoing monitoring and targeted interventions.   

Building a security and privacy policy in tandem with training will focus and streamline the ‘information for action’ a global user base will need to understand and reliably follow your mission-critical instructions. 

If the goal is to enable ‘secured productivity’, the security and privacy policy must tell the user community what they are and aren’t allowed to do in the most simple and clear terms, while being considerate of the productivity requirements associated with their respective roles. For instance, if a policy instructs users not to use certain systems such as unauthorized third-party tools to share confidential data, it must guide them to the appropriate and authorized solutions with which they can meet their business needs. Otherwise, users will either find a ‘workaround’ which poses a new security or privacy risk such as increasing the prevalence of shadow IT or the misuse authorized tools.

Your users may also be more inclined to knowingly commit a policy violation but feel justified in doing so on the grounds that they felt like they had no other choice but breach policy to complete their business-critical task.  

One critical step to achieve the right pitch and scope in a security and privacy policy is to always draft and update the policy in tandem with role-based instructions. This allows a company to drill down and issue task-specific security and privacy rules that are baked into the day-to-day technology-enabled business processes. It also enables a business to provide specialists in those functions with tailored risk awareness.  

Having a strong information security and data protection policy is one of the baseline requirements of any business which is intent on being future-proof. However, if you expect your policy to help drive ‘secured productivity’, it must enable your global user community to achieve their business needs in a secured manner, as part of a wider enablement framework which includes training and role-based instructions. 

Dr. Scott Richardson is CSO of Crayon

You Might Also Read: 

No Slack In The System:

 

« Resilience Is Essential To Protecting Critical Infrastructure
The Current Market For Cyber Security Founders & Investors »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Chertoff Group

Chertoff Group

The Chertoff Group provide security advice and risk management services covering cyber security, insider threat, physical security and asset protection.

Echelon

Echelon

Echelon Company is a provider of information security services specializing in certification of security software and hardware products in Russia.

GrammaTech

GrammaTech

GrammaTech is a leading developer of software-assurance tools and advanced cyber-security solutions.

SonicWall

SonicWall

SonicWall provide products for network security, access security, email security & encryption.

Grimm Cyber

Grimm Cyber

GRIMM makes the world a more secure place by increasing the cyber resiliency of our client’s systems, networks, and products.

RKH Specialty

RKH Specialty

RKH Specialty, part of the Hyperion Insurance Group, is a provider of specialty insurance services including Cyber Risk cover.

TechArch

TechArch

TechArch helps customers to optimize their investments in cybersecurity by providing them independent and vendor-neutral consultation and guidance.

Cybertonica

Cybertonica

Cybertonica is a FinTech company which detects and prevents fraudulent transactions and reduces risk for financial services organisations.

WiJungle

WiJungle

WiJungle is an Indian Cyber Security Company that develops and markets a unified network security gateway solution.

Data Terminator

Data Terminator

Data Terminator provide a comprehensive range of secure data destruction equipment and services are in compliance to US Department of Defense (DoD) and National Security Agency (NSA) standards.

Apono

Apono

Apono enables DevOps and security teams to manage access to sensitive cloud assets and data repositories in a frictionless and compliant way.

Certihash

Certihash

Certihash have developed the world’s first blockchain empowered suite of information security tools based on the NIST cybersecurity framework.

Phronesis Security

Phronesis Security

Phronesis Security is committed to delivering world-class cyber security consulting with a tangible social and environmental impact.

ESProfiler

ESProfiler

Enterprise Security Profiler. Empowering CISOs with clarity & confidence in their security programme by visualising capabilities, usage and spend against their key threat priorities.

Tracer

Tracer

Tracer (formerly Appdetex) is a next-generation brand protection solution. It constantly finds, analyzes, and stops brand abuse across Web2 and Web3 digital channels.

Cloudsmith

Cloudsmith

Cloudsmith is the only cloud-native, global, universal artifact management platform for securely developing and distributing software.