It's Just Results knows that the best solutions and ideas come from teams. We prefer working with collaborative and innovative partners in security and compliance. One of our partners is ThreatSwitch.
This is the second post created in partnership with ThreatSwitch, a cloud-based industrial security compliance solution that aims to radically simplify and automate high volume, data-intensive, and administrative tasks. Please visit threatswitch.com to learn more.
ThreatSwitch invited us to continue to participate in their Partner Perspective series. The focus of the series is to share insights that you can use to improve your own security program and security policies.
Not following Policies is Common
A 2018 Kaspersky Labs study found that only 12% of employees know of an organization’s security policies and rules. This same survey said 24% of employees believe that the organization they work for does not have security policies.
Many companies have employees who are not aware of the company’s expectations of their behavior. The only way for staff to know their responsibility and their role in meeting security requirements is for these requirements to be documented, communicated, and shared. A written document establishes explicit activities and guidelines for employees to follow but without staff participation, a company’s security posture will be deficient.
10 Reasons Why Employees are Not Applying Policies
In response to policy challenges, we've worked with business leadership and staff to identify the top reasons why employees are not engaging with security policies:
Designing Policies that Engage Employees
Getting all of your employees engaged with your policies might seem like an impossible task, but don't give up quite yet! To improve policy development speed, implementation, use, and buy-in, incorporate these critical variables:
In addition to the basic policy requirements listed above, we recommend including the Center for Internet Securities (CIS) 20 controls. The controls are updated every few years and can be found for free download at https://www.cisecurity.org/controls/. It is generally accepted that these controls address 85% of the cyber threats companies face.
Do your policies include these security controls? If not, you have a likely security gap and will need to make decisions and codify them in your new or revised policies.