Cybersecurity Policy – time to think outside the box? | The State of Security

When we get into cybersecurity, one of the first things any organisation or company should do is write a cybersecurity policy, one that is owned by all. Easy words to put down on paper, but what do they mean?

So, what is a cybersecurity policy? Well, it is defined in the Gartner IT Glossary as, “an organization’s statement of intent, principles and approaches to ensure effective management of cybersecurity risks in pursuit of its strategic objectives.”

CyberSmart, who deliver training for the UK’s Cyber Essentials programme add to the definition by saying, “These principles can inform the decisions senior management make or guide employees in their day-to-day activities. Any policy worth its salt should outline what employees should or shouldn’t do, offer directions on best practices, and guidance for decision makers.”

The key thing about any cybersecurity policy is not the rules the policy sets out but the framework for the culture within the organisation. The World Economic Forum, Global Risks Report 2022, indicates that, 95% of cybersecurity threats that people have faced have in some way been caused by human error. That is a factor that many people would need to think carefully about. It is how that error is dealt with that affects the impact of those breaches. A culture of fear is likely to mean fewer mistakes are reported, whereas a no blame culture is more likely to protect a business or organisation, so a policy is a critical document that either becomes a business enabler, or potentially a disabler.

With a business focus, the Federation of Small Businesses says, a cybersecurity policy should cover lots of areas, including:

• The measures you’ve put in place to minimise threats.
• What data will be backed up and how you will manage this.
• Best practice processes, such as what you should or shouldn’t do.
• The different responsibilities your employees have.

Your policy may include expectations on using social media at work, rules for using emails, or guidance for safeguarding data.

It fails to mention a password policy, and this highlights an issue, as many policies are templated and not bespoke to the needs of a business or organisation. In essence, they are a “tick-box” exercise to meet requirements under the likes of the Cyber Essentials Programme.

Any policy should have a direct link to the required business or organisational outcomes, it should be seen and written as a business enabling policy and certainly should not be something that the IT department has overall responsibility for. Elements of any policy should have a direct read across to the wider risk register as appropriate.

Linking a cybersecurity policy to a wider business risk register has a number of benefits. The first is, to the board, the risk is clear, and it makes any budget decisions easier. However, it also brings security into the realm of becoming a core business enabling function.

Chris Phelp MP, Parliamentary Under Secretary of State (Minister for Tech and the Digital Economy) with the UK Government, said on 13^th June 2022 in the UKs Digital Strategy, that:

“As our lives become increasingly reliant on digital technology, the importance of making sure that digital systems and services are secure from threats or failure is critical.  We are placing security at the heart of our approach, because we know that a digital economy whose security is assured provides the necessary stability for continued growth, and further cements the UK’s position as a Science and Tech Superpower. Without this core component, we risk undermining the progress and innovation that sets our digital economy apart.”

The link between business and a digital economy is clear, and many don’t realise some of the additional benefits from a coherent business strategy. Incorporating a cybersecurity strategy could include improved efficiency by ensuring all elements of a business or organisation are working together and pulling in the same direction. If working off a single coherent plan, the inevitable hiccups can be quickly identified and addressed. When everyone understands what’s expected of them, and goals are clearly defined, time and resources are managed more efficiently. This will ultimately help you meet targets and grow. 

This is likely to lead to better customer service by ensuring tasks are performed correctly and that every customer receives the same high level of service, thereby enhancing a business’s reputation. Improved efficiency, better customer service in an environment where risks are understood, can also lead to a safer workplace if everyone’s working to the same standards and principles.

This has the real business benefit of reducing potential costs of any attack.  The UK Government Cyber Security Breaches Survey of 2020 estimated that the average costs are over £3,000 per incident. So, having the right procedures in place not only helps to prevent a breach in your business, protecting a business’s reputation, but it also protects your bottom line by avoiding potential costly legal action and, safeguard sensitive data which is essential to comply with GDPR.

Finally, they list additional benefits as not missing sales through websites being down or transaction chains being disrupted. There is also the added fact that a sound policy will enable a business to remain updated from a cyber threat prevention perspective. One of the keys to success is to regularly review the policy, which will enable a quicker and less painful recovery if the worst should happen.

It is now time for organisations and businesses to ensure their cyber policies are fit for purpose in this developing digital age, and fit for purpose means business-focused, not just cyber-focused.

About the Author: Philip Ingram MBE is a former colonel in British military intelligence and is now a journalist and international commentator on all matters security and cyber.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.