The Role Of Policies In Driving ‘Secured Productivity’

Uploaded on 2022-12-12 in TECHNOLOGY--Resilience, FREE TO VIEW

Don’t hide behind your users if your security and privacy policy is a weak link.  

For anyone who has completed their annual analysis of internal security events, it surely came as no surprise when Verizon reported that in 2022, 82% of breaches involved human elements, including social attacks, errors, and misuse. 

Alerts reporting cyber attacks from criminals who have succeeded in exploiting employee user accounts and devices have become a staple diet in today’s business news.

The ripple effect when these attacks have been perpetrated against software vendors or IT service providers is immeasurable. Especially, when their respective customers must frantically design and deploy their own countermeasures against the threat of ‘back-door-attacks’. Cyber criminals now operate highly sophisticated organizations with a variety of low-cost, readily available hacking tools. By using increasingly refined attack playbooks, cyber criminals are now ransacking all the personal and shared mailboxes to which the user account they have managed to compromise has access to in a matter of minutes.  

So, no matter how much you invest in incident detection and response, it is evident that preventative measures focused on user behavior are critical to your resilience against many cyber attacks.  

While each security or privacy incident may seem different, their causes often trace back to weak information security and data protection policies. As a result, security professionals are forced to rethink the policies they have in place and seal the cracks in their systems to protect their data, people, and the overall company.   

But Where Do Security Professionals Begin?  

Take a hard look at your existing policy and ask yourself what you are really trying to achieve. Does your current policy deliver ‘information for action’ for front-line data processors? Does it arm users with universal instructions, so they know how to act to prevent data breaches or immediately report a suspected security or privacy event? 

A common mistake in many policies is the use of overcomplicated legal language. If a policy is designed to be robust in a court of law, it has inadvertently pitted your organization against its users. In other words, you shouldn’t want to conclude that every user represents an insider threat but instead focus on the aim of enabling trusted and respected specialists to champion ‘secure productivity’.  

Similarly, another flaw in policy design is the inclusion of insights into the methods and governance structure of your security and privacy team. While transparency is vital to build and retain the trust of team members across the business, there are multiple forums such as SharePoint sites, roadshows, or one-to-one sessions where you can provide users with granular insight into how your team does its job.  

Many organizations still maintain governance structures in which information security and data protection are separated by departmental boundaries, each with their own stand-alone policies. In practice, however, security and privacy aspects converge in the secured handling of data and resolution of any potential data breach. Accordingly, security and privacy should always be treated as two sides of the same ‘data protection’ coin.  

How Does A Company Deliver A Strong Security & Privacy Policy?  

Providing evidence of internal security and privacy training completion has become a global requirement for any service provider who processes personal data. When selecting your training tool, the ease with which you can extract records of your organization’s training completion rate should be a key criterion. Not only will this significantly reduce the time your team must spend extracting evidence for training completion requests from customers or external auditors, but it will also increase your team’s ability to drive completion rates through ongoing monitoring and targeted interventions.   

Building a security and privacy policy in tandem with training will focus and streamline the ‘information for action’ a global user base will need to understand and reliably follow your mission-critical instructions. 

If the goal is to enable ‘secured productivity’, the security and privacy policy must tell the user community what they are and aren’t allowed to do in the most simple and clear terms, while being considerate of the productivity requirements associated with their respective roles. For instance, if a policy instructs users not to use certain systems such as unauthorized third-party tools to share confidential data, it must guide them to the appropriate and authorized solutions with which they can meet their business needs. Otherwise, users will either find a ‘workaround’ which poses a new security or privacy risk such as increasing the prevalence of shadow IT or the misuse authorized tools.

Your users may also be more inclined to knowingly commit a policy violation but feel justified in doing so on the grounds that they felt like they had no other choice but breach policy to complete their business-critical task.  

One critical step to achieve the right pitch and scope in a security and privacy policy is to always draft and update the policy in tandem with role-based instructions. This allows a company to drill down and issue task-specific security and privacy rules that are baked into the day-to-day technology-enabled business processes. It also enables a business to provide specialists in those functions with tailored risk awareness.  

Having a strong information security and data protection policy is one of the baseline requirements of any business which is intent on being future-proof. However, if you expect your policy to help drive ‘secured productivity’, it must enable your global user community to achieve their business needs in a secured manner, as part of a wider enablement framework which includes training and role-based instructions. 

Dr. Scott Richardson is CSO of Crayon

You Might Also Read: 

No Slack In The System:

 

« Resilience Is Essential To Protecting Critical Infrastructure
The Current Market For Cyber Security Founders & Investors »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

High Sec Labs (HSL)

High Sec Labs (HSL)

High Sec Labs develops high-quality, cyber-defense solutions in the field of network and peripheral isolation.

Massive Alliance

Massive Alliance

Massive is a global service agency providing internet monitoring, data & security threat surveillance and reputation management.

Global Lifecycle Solutions EMEA (Global EMEA)

Global Lifecycle Solutions EMEA (Global EMEA)

Global EMEA provides full lifecycle services to corporate Clients covering procurement, configuration, support, maintenance and end-of-life asset management.

Nexon Asia Pacific

Nexon Asia Pacific

Nexon solutions include cloud infrastructure and services, unified communications, managed security services, business continuity, secured high-performance network and business applications.

Cegeka

Cegeka

Cegeka is a family-owned IT company providing end-to-end IT solutions, services & consultancy.

Block Harbor Cybersecurity

Block Harbor Cybersecurity

Block Harbor has worked closely with automakers, suppliers, and regulators since 2014 on vehicle cybersecurity.

MiC Talent Solutions

MiC Talent Solutions

MiC Talent Solutions provides recruiting, direct hire, augmented staff, and professional service contracting solutions for organizations searching for minority cybersecurity talent.

Defence Innovation Accelerator for the North Atlantic (DIANA)

Defence Innovation Accelerator for the North Atlantic (DIANA)

The NATO DIANA accelerator programme is designed to equip businesses with the skills and knowledge to navigate the world of deep tech, dual-use innovation.

Digital.ai

Digital.ai

Digital.ai empowers organizations to scale software development teams, continuously deliver software with greater quality and security.

White Knight Labs

White Knight Labs

White Knight Labs is a cyber security consultancy that specializes in cybersecurity training.

LetsData

LetsData

LetsData uses AI to provide governments, intergovernmental organizations, civil society, and businesses with data-empowered decisions on communication in the age of online disinformation.

TrueBees

TrueBees

TrueBees is the first deepfakes detector able to detect AI-generated portraits shared on social media and to prevent their diffusion across the web.

CyberGrape

CyberGrape

CyberGrape is a client centric managed services company, providing enterprise leading security solutions and helping companies through their IT risk and security challenges.

AUCyber

AUCyber

AUCyber is a leading provider of managed cyber security solutions and consultancy services, specialising in supporting Australian organisations and Government agencies.

IT.ie

IT.ie

IT.ie are a comprehensive provider of Managed IT Services, Cloud Solutions, Cyber Security, and proactive IT support services.

EpicCyber

EpicCyber

Since 2011, Epic Cyber has pioneered the integration of enterprise cloud technology.