Your business needs multiple approaches to security: here’s why

Security

Security

Businesses today face myriad complex threats coming at them from every angle. From hackers and hacktivists, to sophisticated cyber criminal gangs and nation-state funded advanced attacks, these threats can be catastrophic to the business.

Add to this the growing business complexity and increasing staff count in multiple locations, and even third-party vendors and suppliers — all of whom have access to sensitive information.

These challenges are driving the need for a comprehensive security policy that addresses all these factors, while allowing the business to still run smoothly. The policy must be precise and cover all domains, and must not be ambiguous or open to interpretation by different users.

There are two schools of thought here: one that believes simpler policies will drive better user compliance, and one that thinks they should be highly structured, complex and clear.

There is merit to the argument that the solution lies in a structured measurable compliance programme that although fairly complex, is also completely clear. Ignorance is too often the reason why staff don’t comply with policy. Awareness can be created through regular advisories, self-paced online learning modules and similar. Companies can insist that these are mandatory for all staff and third-party partners and can be built into the HR induction processes for new staff.

This approach is popular in those businesses who see security as a business concern, not just a problem for the technical department to handle. Compliance needs to be driven by the business needs and functions, not just by the security practitioners. It needs to meet ‘SMART’ criteria, in other words specific, measurable, achievable, relevant and time-bound.

Security policy must be clear, comprehensive and well-defined, and must cover all the rules, and practices that regulate access to a company’s systems and networks and all the data that resides within them.

The other school of thought says the human element needs to be a stronger consideration when coming up with policies and rules. “We all know that nobody reads the fine print, or has the time or energy to read a policy manual that’s as thick as a book. Their attention span is limited, and if their attention isn’t caught in that time, you’ve lost them.”

In order to do this, some organisations favour a short, clear list of do’s and don’ts that are simple and easy to understand. A security policy can be an extremely lengthy document when you take into account the different elements that cover best practices, industry standards as well as the expected regulatory and privacy requirements. The policy does need to be comprehensive and cover all the essential points, but it must be easy to read too, else the points will go in one ear and out the other.

He says the policy must be appropriate to the risks involved. Too often policies are based on standards that do not apply to the particular business in question. Rather design a main policy which covers the major objectives, and is there for all staff to read. More detailed policies can be written for specific user groups, who have different access levels and suchlike, and there can be even more detailed policies covering specific products that are only for individual users if needed.

Which approach a business adopts will depend largely on its corporate philosophy as well as the nature of its business, but that following the basics and educating staff is always a good starting point. “Good policies will protect not only data and systems, but staff and the business as a whole. They also serve as a statement to external stakeholders on the company’s commitment to security.”

More

News

Sign up to our newsletter to get the latest in digital insights. sign up

Welcome to Memeburn

Sign up to our newsletter to get the latest in digital insights.