The only constant in security is change. New developments, disruptive technologies and the ongoing evolving sophisticated nature of cyber attacks means that every day new vulnerabilities emerge.
As employees take more and more data outside of the enterprise via ever more devices, these risks are only set to escalate. This makes having a robust and comprehensive security policy in place absolutely key. But how do you ensure that employees pay attention to the salient points and what should those be? Here are Nick Banks’ top five top tips for developing a well rounded security policy:
1. First of all, you need to ensure that you understand your business’ operating environment so that the policy effectively mitigates the threats and risks you face, as well as looking after the assets that you’re seeking to protect. Could lives be lost or just corporate data? Are you subject to the risk of corporate espionage and insider threats on top of cyber attacks? This might seem like an obvious point, but is often overlooked by companies. There is no one size fits all approach when it comes to formulating a security policy – it should be as unique as your business.
2. It is unlikely that without the aid of metal detectors and full body searches you’ll be able to completely ban or prevent the use of portable storage devices within your organisation. Especially as more and more employees work from increasingly disparate and varying locations. Therefore a key element of any security policy should seek to protect the data on those devices and state that only password protected USB devices should ever be used to store corporate data.
3. No computer or tablet not ‘locked down’ by IT should ever be connected to the corporate network, either from inside (fixed line or BYOD) or outside (VPN of VDI). Equally though, your security policy needs to actually enable your business, so in order to ensure you can accomplish this without causing a lot of user frustration consider allocating employees a corporate computer for use inside the network and an IT secured USB device for outside.
4. Encrypt your data. Whether your data is in transit or at rest, encryption is absolutely key to safeguarding confidential company information. Whether you use strong authentication or hardware encryption will very much depend on your organisation, but don’t make the mistake of thinking that encryption is a silver bullet. You need to be able to manage encrypted devices in order to ensure that if there any concerns that data integrity has been compromised it is possible to remotely wipe the device.
5. Human weakness is the key vulnerability when it comes to security and your policy should seek to mitigate the risks associated with human nature. Passwords in their current format are inherently insecure, so don’t rely on them alone. Use multi-factor authentication such a voice, retina or biometrics – something unique to the individual. This might all sound a bit Minority Report now, but in five years time such implementations will be common place.
Taking all of ths into account, if we had to summarise it in one sentence – be clear, be concise and be consistent, because security policies only work when they can either be rigidly enforced (not an option for most enterprises) or are easy to follow.