When was the last time you made changes to your security policy? When was the last time you considered how the procedures impact your business?
According to a survey conducted last year, 43 percent of businesses dealt with some type of data breach at some point during the previous twelve months. And with the number of threats out there in the world increasing every day, that number won’t shrink any time soon.
A security policy won’t prevent a data breach. But having strong policies and procedures in place will ensure that employees better understand how to prevent breaches, and what to do if one takes place.
While not having a policy in place is reckless, not reviewing it and updating it in a world that is constantly changing can be hazardous too. Security should always be evolving. If you are looking for ways to improve your security policy, consider these basic points.
We’ve all been involved with organizations that choose to define every last detail. Even the simplest of concepts is written out and defined in binders of information. Yet keep in mind that the more content there is within your security policy, the less likely it will be read by the masses within your organization. Time is a commodity we have little of. A binder (or two or three) may satisfy a security audit, but it won’t do much to improve security within your business.
Does your security policy truly match the way your employees work? In many cases, the ones that write a security policy don’t take into account the way employees do their jobs. Today’s employees use their own devices on a day to day basis. Departments choose programs based on needs to get things done. Cloud computing is at an all-time high, with more moving to cloud based services all the time. If your policy assumes anything lower than what is actually occurring within the organization, your data can be at risk.
Employees are more likely to adhere to policies when they become repetitious and automated by nature. If an email automatically flows through a central policy engine before being released to determine if it needs encryption, for example, you take the human factor out of the process.
Find your biggest threats
Many security policies clearly define how to handle external threats. Yet in many cases your biggest threat is no further than the office next door. No matter how many times an employee changes their password, or what apps they have installed on their smartphones, if an employee wants to do damage, they know where vulnerabilities lie and how to move around them quickly and efficiently.
Most IT professionals will list employees not following procedures as one of their biggest threats. Yet in many cases, they aren’t providing the proper policies and training to change the situation.
Policies need to be created with the way employees work. Clear training should then be provided to give employees a better understanding of expectations. It’s not something that occurs once when an employee is hired on, especially in this fast-changing world. Technology has a short shelf life; to not recognize it and train accordingly on a regular basis is to increase your internal risks.
Any policy written without review two years ago or longer probably has significant holes in the process. If you haven’t reviewed your policy, or trained your employees accordingly in that time frame, your internal threats are very real.