Security Policy Enforcement

Conversation about business security is often centered around what additional measures companies should be taking to protect their businesses from cyber threats. However, what many businesses don’t consider is the effects of poor security policy enforcement practices at their firm. The National Institute of Standards and Technology released a study indicating that employees at businesses often report experiencing “security fatigue,” or exhaustion related to keeping up with security policies and procedures set in place at their firm.

Soteria has witnessed the negative impact “security fatigue” can have on firms. When this exhaustion or frustration sets in, it causes people to become sloppy in their security habits, such as leaving passwords written in plain site, disarming antivirus notifications, or bypassing firewalls to get access to social media sites. All of these side-effects of “security fatigue” render established security useless and leave your company more vulnerable.

What’s the secret to avoiding “security fatigue”? Tackling security with cross-functional teams.

A common misconception is that security policy enforcement is the sole responsibility of a firm’s “tech people.” The fact is every employee bears the responsibility of maintaining a business’ security posture.

In order to avoid “security fatigue” at your firm, keep these tips in mind when establishing and revising security policies and procedures.

1. Include technical and non-technical staff on your security policies development teams. When teams departments such as marketing, sales, and HR are left out of the security conversation, a true understanding of the daily workflow of these departments is overlooked. For example, company-wide access to social media sites may be blocked, preventing the sales team from generating new leads and the marketing team from sharing content. The result is either a slump in business or your sales and marketing teams potentially using insecure ways of gaining access to these sites.
2. Make sure your employees have the tools they need to effectively carry out established policies. Ensuring your firm can provide employees the tools and training they need to effectively carry out established security policies is also critical. A common example is employers requiring their employees to use a different password for every account they have without providing them a way to easily and securely store these passwords. The result? Expect employees to find insecure ways of quickly accessing their password information. Writing passwords down on sticky notes and leaving them on a desk is a common bad habit we see.
3. Review and revise your policies regularly. Lastly, having routine corporate security reviews is critical effective security policy enforcement. As your business’ teams, procedures, and technology stacks change, your corporate security may need to be adjusted as well. Ensuring your employees are able to voice their concerns will enable your firm to tailor security policies that fit your business’ needs and keep security on the mind of every employee.

Originally published at https://soteria.io/security-policy-enforcement/ on December 2, 2016.