Use these 5 Tricks to Enforce your Office’s Cyber Security Policy
You may notice that the leaders in your work environment may be letting multiple-time offenders of cyber security policy off the hook. Use these five helpful tips courtesy of T&M Protection Resources to solve that issue.
- For enforcement to be practical, update cyber security policies regularly to keep up with emerging threats.
- Cyber security policies should include guidance. If shredding sensitive documents such as printed emails in a timely manner is a policy, then require that managers and supervisors check that shredders are being used and that sensitive documents aren’t discarded in a waste bin as part of that policy to ensure compliance. Breaking policies into achievable tasks transforms written policies from a piece of paper to the underpinnings of a culture of compliance.
- Cyber security policies should include procedures for testing, enforcing, and investigating breaches of policy. It is better to have a procedure that you never need to use than to not have one when you need it. It is equally important to test controls around the enforcement of all procedures.
- Administer disciplinary action for chronic carelessness or an intentional breach of cyber security policy. If the breach was accidental, it should be treated as an opportunity for more cyber security awareness training. But whenever chronic carelessness or an intentional breach occurs, disciplinary action should be considered. Remember that some punishments are external. If an employee breaches a policy that also happens to violate the law, then the consequences to the employee, the employee’s manager or supervisor and the company itself can be very grave. In recent years, responsibility for cyber security breaches has shifted to supervisors, managers, executives , and even the board of directors if there is evidence of a pervasive culture of noncompliance to cyber security policies and regulations.
- Ensure that disciplinary action for cyber security breaches is equitable. Do not allow the stature of senior and middle management or an employee’s close relationships with management insulate them from consequences that would be administered to other employees. Doing so risks creating an ‘us vs. them’ culture in the company that can hinder cyber security goals and employee productivity. This cronyism also ignores the reality that breaches of cyber security policy by senior employees in the company often carries with it a much higher risk due to their access to more sensitive and vital company data and should therefore require a greater expectation of responsibility.