Last month I was chatting with a journalist and he asked me what my top three security tips for an organisation would be. I started answering his question by saying that companies had to look beyond ‘good enough’ security, consider whether passwords in their current format were really secure, and just as I was about to deliver my third tip, I realised that these were all superseded by the need for a comprehensive security policy, which if approached correctly would address these points.
By comprehensive I don’t mean that companies need to create an enormous document with sub sections of sub sections. What I do mean is that any security policy needs to take into account new developments, disruptive technologies and the ongoing evolving, sophisticated nature of cyber attacks. A security policy cannot be a static document and yet all too often it is. Security is a constantly changing market and, as such, companies cannot afford to be complacent/fall behind.
Not sure? Well just think about the IT environment just five years ago. How we work, the devices we use and where we store content has all changed. Previously companies could be confident that sensitive data was stored only on PCs, but now that information sits on smartphones, laptops, tablets and cloud. The associated security risk is wide ranging. That’s why your security policy needs to be continually evolving – taking changes in working practices, not just the security landscape, into account.
Here are my top five tips for ensuring you create a robust security policy that, rather than gathering dust, provides tangible value to your business:
1. First of all, you need to ensure that you understand your business’s operating environment so that the policy effectively mitigates the threats and risks you face, as well as looking after the assets that you’re seeking to protect. Could lives be lost or just corporate data? Are you subject to the risk of corporate espionage and insider threats on top of cyber attacks? This might seem like an obvious point, but is often overlooked by companies. There is no one size fits all approach when it comes to formulating a security policy – it should be as unique as your business.
2. It’s unlikely that without the aid of metal detectors and full body searches you’ll be able to completely ban or prevent the use of portable storage devices within your organisation. Especially as more and more employees work from increasingly disparate and varying locations. Therefore, a key element of any security policy should seek to protect the data on those devices and state that only password protected USB devices should ever be used to store corporate data.
3. No computer or tablet that’s not ‘locked down’ by IT should ever be connected to the corporate network – either from inside (fixed line or wireless) or outside (VPN or VDI). Equally though, your security policy needs to actually enable your business. So, in order to ensure you can accomplish this without causing a lot of user frustration, consider allocating employees with a corporate computer for use inside the network and an IT secured USB device for outside.
4. Encrypt your data. Whether your data is in transit or at rest, encryption is absolutely critical to safeguarding confidential company information. Whether you use strong authentication or hardware encryption will very much depend on your organisation, but don’t make the mistake of thinking that encryption is a silver bullet. You need to be able to manage encrypted devices in order to ensure that if there are any concerns that data integrity has been compromised, it is possible to remotely wipe the device.
5. Human error is a huge potential vulnerability when it comes to security and your policy should seek to mitigate the risks associated with human nature. Passwords in their current format are inherently insecure, so don’t rely on them alone. Use multi-factor authentication such a voice, retina or biometrics – something unique to the individual. This might all sound a bit ‘Minority Report’ now, but in five years’ time, such implementations will be commonplace.
Does your organization have a comprehensive security policy in place?