Blog

Thoughts and ideas from It's Just Results
Top 10 Reasons Why Employees Are Not Applying Policies
June 30, 2019 at 8:00 AM
rs=w_1280 (1).jpeg

It's Just Results knows that the best solutions and ideas come from teams. We prefer working with collaborative and innovative partners in security and compliance. One of our partners is ThreatSwitch.  

This is the second post created in partnership with ThreatSwitch, a cloud-based industrial security compliance solution that aims to radically simplify and automate high volume, data-intensive, and administrative tasks. Please visit threatswitch.com to learn more. 

ThreatSwitch invited us to continue to participate in their Partner Perspective series. The focus of the series is to share insights that you can use to improve your own security program and security policies.

Not following Policies is Common

A 2018 Kaspersky Labs study found that only 12% of employees know of an organization’s security policies and rules. This same survey said 24% of employees believe that the organization they work for does not have security policies.

Many companies have employees who are not aware of the company’s expectations of their behavior. The only way for staff to know their responsibility and their role in meeting security requirements is for these requirements to be documented, communicated, and shared. A written document establishes explicit activities and guidelines for employees to follow but without staff participation, a company’s security posture will be deficient.

10 Reasons Why Employees are Not Applying Policies

In response to policy challenges, we've worked with business leadership and staff to identify the top reasons why employees are not engaging with security policies:

  • Externally developed policies (i.e. not by internal staff/employees)
  • Confusing and complex language
  • Management not involved, roles not defined
  • Dry and boring language
  • Not relevant to business work environment
  • Outdated (have been on the shelf for several years)
  • Staff does not understand need for policies
  • No time provided to read policies/text is not relevant
  • Leadership does not enforce standards/no consequences for not following policies
  • Insufficient resources to execute policies

Designing Policies that Engage Employees

Getting all of your employees engaged with your policies might seem like an impossible task, but don't give up quite yet! To improve policy development speed, implementation, use, and buy-in, incorporate these critical variables:

  • Compliance Mapping: Map Policy documents to over 100 controls required by DFARS 252.204-7012, including NIST SP 800-171 requirements
  • Background, Purpose and Scope: Establish context, set clear goals and expectations of the policy, and describe what the policy encompasses.
  • Key Procedures: Write easy to understand procedures that describe activities. Note: This is not a detailed step-by-step implementation instruction.
  • Schedule: Establish an overall timeline and include; all security activities, individuals assigned to the activities, and activity frequency. This is a living document.
  • Shared Accountability: Require each staff member and consultant to read the policies. Each person must attest to reading and understanding the policy. Distribution is annual and updates should be distributed when policy changes are implemented.
  • Violations: Violations of information security policies have consequences. Consequences may be at the business or employee level. Employees must understand that not following policies will also have personal consequences.
  • Ownership: Identify a Policy Owner to answer questions about the policy.

In addition to the basic policy requirements listed above, we recommend including the Center for Internet Securities (CIS) 20 controls. The controls are updated every few years and can be found for free download at https://www.cisecurity.org/controls/. It is generally accepted that these controls address 85% of the cyber threats companies face.

Do your policies include these security controls? If not, you have a likely security gap and will need to make decisions and codify them in your new or revised policies.