Is your security policy a no-brainer?

My recent column about how throwing money at the problem isn't the answer to the IT security question in the enterprise has certainly ruffled a few feathers, particularly among those with a vested vendor interest.

My hypothesis was accused of being too simplistic, and that if I were to consider things with a little more breadth and depth I would reach the inevitable conclusion that tight budgets are the root of all that is evil as far as data insecurity is concerned.

After all, how could I even start to counter the argument that budget constraints mean innovative and more efficient security solutions are being overlooked?

Here's how. I have on my desk a piece of research which suggests that when it comes to 'desk-based workers' in the UK and US, as many as 70 per cent have no idea who to report a security breach to.

Let's shuffle that a bit and see if it sounds any better: around a third of workers know who to contact within the organisation if they suspect a device has been subject to a security breach.

Nope, sounds just as bad too me. OK, I have to use the 'admittedly clause' as there's yet another vendor with something to sell involved here, but this does mirror my own experience of working with organisations within the SMB space.

The vendor was using the research to market an access management solution off the back of these results and others suggesting the same workers are ignorant about the risks of sharing logins, will IT professionals continue to overlook the problem of insider threats.

That vendor, IS Decisions, calls it "a shocking deficiency in effective training" and I agree. However, it cuts deeper than that. It's also a shocking misunderstanding of security basics and all too common, if my experiences over the last twenty years are anything to go by, where policy is considered something that managers create and workers ignore.

This may be vaguely acceptable if said policy concerns the colour of employee socks or how many loo breaks they're allowed per working day, but when it comes to the enterprise's security posture, that's a different matter.

So the vendor press release failed to hit the intended target as I didn't come away after reading it thinking that organisations need yet another layered user access management system, but that such things are pointless if the policy that underpins everything is badly drawn up and even more poorly implemented.

The problem with many IT security policy documents is that they are seen as just a piece of paper, when they need to be a living and breathing portrait of your understanding of risk.

The larger the enterprise, the better this is understood and that has nothing to do with budget and everything to do with the culture of security thinking. Best practice and education are all too often sacrificed to the Gods of insufficient time and will as you move down the enterprise scale.

Every enterprise benefits from having a formal, properly implemented IT security policy. I am inclined to think this has not a lot to do with rules and regulations, permissions and process, but relates to thinking. And by that I mean "thinking" about what data security really means to your business.

The act of creating a written, structured response to those needs, from top to bottom, is both an eye-opener and a potential business saver.

Think about what a security policy actually is and, once stripped back to the basics, you realise it's nothing more than a commitment to protect all the data that a firm creates and uses.

It's not something that you can delegate, that's security suicide, but it's something you have to take responsibility of as an organisation.

Get to grips with that concept and things like ensuring all employees are on-board, educated and aware become an organic part of your business process.

Davey Winder

Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.

Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.

You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.