Are cybersecurity policies valuable or just stacks of paper?

Security policies and security awareness go hand in hand. Frankly, a policy is worthless if it sits in someone’s desk. Such policies only serve to enhance the ego of those who created it. Policies find value when they are understood, adhered to, and enforced. This only works if employees are trained on the policy. Three main components of policy training should be performed.

1. Employees must be made aware of the policy.
2. Explain the rationale for the policy and how it impacts employees.
3. Establish accountability and consequences for non-compliance.

A study by the Ponemon Institute found that 58 percent of those surveyed said their employer did not provide adequate security awareness training. The study went on to cite three reasons for why employees are ignoring policies:

1. Greater employee mobility.
2. Rapid changes in technology and a lack of corporate adaptability to new technology.
3. Pressure to do more with fewer resources.

Policies are required by many regulations and they are beneficial to companies because they express corporate expectations of behavior. However, companies must train employees on policies and have sanctions for policy violations. There should be methods to evaluate policy compliance and employees should be held accountable for adherence to policies so that policies effectively guide organizational behavior.

Ponemon research identified the statistics on insecure employee practices:

Downloading data onto unsecured mobile devices 61% Sharing passwords 47% Losing data-bearing devices 43% Turning off their mobile devices’ security tools 21% Using web-based personal email in the office 52% Downloading Internet software onto an employer’s devices 53% Engaging in online social networking while in the workplace 31%

Some of these activities, such as sharing passwords, are obviously a bad practice. However, others may be completely acceptable when performed according to organizational guidelines. For example, is social media use to promote the company’s services and interact with customers, or are employees just reading items in their feed from family and friends? These are essential items that should be addressed through policy.

Companies that truly want to get a handle on data security must not neglect the governance aspect of cybersecurity. I like to say that cybersecurity is made up of people, policies, and technology. An effective cybersecurity strategy will need to address all three.

This article was sponsored by TCDI, a cybersecurity, computer forensics, and eDiscovery company.