Setting and maintaining successful security policies

By Martin Lynch

These days, it's fair to say that your own employees pose as much of a threat to your sensitive data as shadowy cyber criminals and their sneaky malware. Numerous recent studies of employees have highlighted the problem.

Earlier this year, the Ponemon Institute, which conducts independent research on privacy, data protection and information security policies, released a study conducted among US workers that revealed that six out of 10 employees stole company data upon leaving their job in the last year. A higher proportion admitted to using the stolen data to get their new job.

A separate study in the UK by Infosecurity Europe, found that more than a third of employees would steal sensitive data if they thought they could make some decent money from selling it on. Alarmingly, 2% said they would steal data for a good dinner. So where do you start?

The best security system starts by developing a security culture within your company. The first, and most important, step in that process is creating a security policy.

A security policy, at its simplest, allows you to:
- outline the company's stance on data security
- identify what data needs to be protected
- educate employees about security issues and measures
- inform employees what is, and what is not, acceptable usage behaviour and the penalties for violating the rules
- create a framework for monitoring data and systems usage
- keep your business compliant with legislation and regulations

"The greatest threat to data security is lack of awareness, both at a corporate level and at an end user level," says Rik Ferguson, Senior Security Analyst at Trend Micro. "The security policy exists to authorise courses of action within the various areas of the company."

Driven from the top down

From those employed in the mail room to the CEO in the boardroom, data security is something that everyone has to take seriously or else the protection systems you put in place will fail.

While securing that data might require an IT solution, a good security policy must be initiated in the boardroom and fed down through the company. If you're not sure what exactly your security problems are, carry out a risk assessment process to discover your weaknesses.

Ferguson adds: "It is essential that the Board and chief executive level of the company are instrumental in designing the principles that the organisation will follow when securing information."

There is no 'one-size-fits-all' when it comes to security policies. Every company is different and the data they deal with ranges widely in value. A small company looking at security for the first time need only concern itself with the basics in a document that is just a few pages long.

A larger business with some existing security guidelines may have to create a number of security policies to address different workgroups. For instance, a technically-detailed security policy is not going to be read by most employees. Therefore, it has already failed. Tailor the security policy for the key groups in the business.

Good security policies

The best security policies should not come across as draconian either. They are not just there to police your workforce and club them over the head every time they visit Facebook on their lunch-break.

The policy should also not make it more difficult for people to do their jobs, as that will damage business performance and create a poor working environment.

A good security policy sets out to help staff understand security issues, promote best practice and put in place mechanisms by which the security measures can be adapted to meet changing threats in the future.

Just as security policies have to come from the top, they work best when there is buy-in from key management personnel in different departments.

Polices often fall down by not outlining who is accountable for what. Accountability needs to be addressed so that there are people responsible for overseeing and enforcing the rules at different levels.

Also, just because a policy has been written and made available to employees, doesn't mean that's the end. It's just the start. Now you have to educate employees about the security policy because security is a learned behaviour and regular training will be needed.

"Education is the cornerstone of any corporate security program. It is not enough to rely on a single training week or day when employees join the company. It is not really even enough to rely on annual self assessment,' says Ferguson.

'Poster campaigns around the office, regular penetration testing that includes "social engineering", mystery shopper exercises, viral videos, desktop gadgets - all of these play important parts in keeping the message uppermost in people's minds."