Sure, a fully stocked library sounds like a great thing. Libraries are awesome! People like content. Abundance is alluring. More is more, after all…. isn’t it?
When it comes to the corporate information security policy library, abundance might be standing in the way of comprehension and application of security rules that should be followed consistently and by everyone in an organization. It might be getting in the way of anyone (besides the author, lawyer or auditor) ever reading the content. It might even be overwhelming an employee, otherwise enthusiastic, about upholding security.
The thing is, even with these fully-stocked policy libraries, we still hear stories time and time again about how malware and cybercrime don’t just survive, but thrive, because individuals and businesses fail at the most basic security tenets. A vendor patch was ignored. An unlocked laptop was left unattended. A link in a phishing email was opened in haste. A phone was answered by an employee delighted to share too much information with the happy caller.
And so, individuals at your organization should be armed with readily available guidance on these types of risks as well as others, their potential consequences, and how to best manage and react to them within the context of your control environment and compliance requirements. However, while these documented policies and procedures guides are important, it’s empowering the confident security-aware individual that will ultimately determine how protected an organization is against a large-scale data breach or cyber attack.
When it comes to the corporate information security policy library, my advice is this:
Keep It Simple
Information security can be as simple or as complicated as we want to make it when we’re viewing it through the lens of a corporate policy. Cover the basics in corporate policies that are made available to everyone in the organization. Leave the minutia for the procedural documents maintained at the department level. This will increase the approachability of your policy library and will make the chore of keeping the library up-to-date and relevant a much easier task.
Maintain Universal Digestibility
Write policies that are easily understood by everyone, including the savviest security engineer, the newest HR recruit, and the most tenured customer service representative. This will increase the chance that your policy library is a source of guidance, rather than a source of confusion.
Spread and Re-spread the Word (a little at a time)
Require security awareness training as part of every employee’s onboarding process. Make it fun to increase the chance that every attendee will not only walk away feeling confident in the concepts, but may even be inspired to share what they learned with others.
Send periodic security reminders to the entire organization and, if available, include a recent example from the news illustrating the importance of a basic security measure in place at your organization to prevent that very same kind of breach or attack. Point to the policy where employees can find more guidance.
Encourage and Empower Individuals to be Confident in Their Understanding of Cybersecurity
When information security policies are straightforward, and employees can relate them to their everyday tasks of managing inboxes, communicating with others, and transferring files in/outside of their organization, they will have increased confidence in spotting suspicious emails, identifying phony inquiries, and escalating security incidents to the right people.
Whether you are a public company in a highly regulated industry or a startup going through your first SOC report, up-to-date policies and procedures are the foundation for a sustainable, and understood, security and compliance program. Information security policies are important for the organization and for its employees. They set the tone at the top about the attitude an organization has towards security. They provide guidance on security best practices. They set boundaries for acceptable use. They limit and clarify legal liability, and they define the consequences of policy violations. And if they’re effective, they support a knowledgeable and confident employee base, capable of stopping cyber criminals in their tracks.
Kyle Helles is a Senior Consultant in our Cyber Risk Advisory practice. Contact her at firstname.lastname@example.org.