Today’s advanced persistent threats, new business technologies and a younger workforce have prompted security budgets to shift from breach prevention to detection and response. Those same forces have also motivated many organizations to take a fresh look at their security policies and guidelines – and for good reason.
By 2018, for instance, 50 percent of organizations in supply chain relationships will use the effectiveness of their counterpart’s security policy to assess the risks in continuing the relationship, according to Gartner. Does your policy align with those of your partners?
The majority of companies have some form of security policy already in place, whether created from scratch or borrowed from myriad templates available through security organizations and vendors. How effective those policies are today is another story. Some 31 percent of companies have a formal security policy for their company, while another 34 percent have an informal security policy that is adopted by various departments in the company, according to a survey of 1,500 software developers worldwide by Evans Data Corp.
The golden rules for writing security policy still apply, such as making sure the process is shared with all stakeholders who will be affected by it, using language that everyone can understand, avoiding rigid policies that might limit business growth, and ensuring the process is pragmatic by testing it out. Just because policies are intended to be evergreen doesn’t mean they can’t become stale, says Jay Heiser, research VP in security and privacy at Gartner. Particularly at the standards levels, one level below policy, guidance may need to be updated for different lines of business, or for jurisdictions that may be driven by different regulatory rules or geographic norms. Security and risk experts offer five reasons why companies should take a fresh look at security policies.
1. Ransomware, DDoS and APTs
The number of ransomware attacks targeting companies increased threefold from January to September 2016 alone, affecting one in every five businesses worldwide, according to Kaspersky Lab. The average distributed denial of service (DDoS) peak attack size increased 26 percent in Q1 2017 compared to the previous quarter, according to Verisign.
In the past, security policies focused on how to protect information. There would be policies associated with data classification and policies associated with how to not share information in a certain way on the network. “Now, because of ransomware and advanced persistent threats (APTs), policies have to focus more on user behavior and on the behavior of the bad guys,” says Eddie Schwartz, chairman of ISACA’s cybersecurity advisory council and executive vice president of cyber services at DarkMatter LLC.
While a security policy should be “fairly stalwart and stable” to withstand those threats, some standards and individual procedures written for how to deal with individual threats may have to be updated more frequently as the threat environment changes, Bernard says Julie Bernard, principal in the cyber risk services practice at Deloitte in Charlotte, N.C..
2. Cloud, IoT blockchain and other new technology
Next-generation tools, such as the Internet of Things (IoT) in manufacturing or blockchain in financial services, are driving changes to security policies. “Policy has to keep up with the dynamic environment you’re in,” says Bernard. “If your company is going to cloud, tech people are worried about uptime and security, but what about the policies that go along with it? Can I share information with one of my key vendors through a cloud app? If so, which one? And how do you facilitate that, which gets into standards questions,” Bernard explains.
“You could have a policy of ‘thou shall not share,’ but unless you have the technical ability to block that, people are still going to try to get their work done” and do it anyway, she adds.
3. Changing user behavior
A growing millennial workforce is changing the technology expectations and work behaviors that affect security policies and standards, Schwartz says. “It’s more about ‘if you’re on Facebook at work watching that funny cat video, be careful because it might contain embedded malware,’ or ‘just don’t do it at work,’” he says. “Instead of giving users instructions that are generic about protecting information, you really have to tailor those instructions to the behaviors that we know they’re doing at the office,” such as using smart devices connected to corporate networks or surfing social media on company laptops.
In some organizations, security standards and procedures include equal parts of preventative measures and response measures, including directions for taking action after a breach inevitably happens, Schwartz says.
4. Security fatigue and lax enforcement
Sometimes employees just get tired of following all the rules, Heiser says. Pile on too many “don’ts” over time in the security policy, and security fatigue can start to diminish a policy’s effectiveness. “They’ll just begin tuning it out,” he says.
In response, organizations often lighten up on enforcing policies because of rampant use, such as areas of public and cloud computing. “The majority of organizations are not enforcing the use of SaaS,” Heiser says. “They’re allowing fairly free use of anything that employees can connect to,” which negates having the policy at all.
5. Some policy elements are obsolete
“Organizations typically don’t take a methodical look at their policy elements to see if they’re actually changing what happens,” Heiser says. “If they don’t change what happens, then what’s the point?” He suggests making a spreadsheet of all security policies and grading them on a scale from one to five. “Are they followed or not? If they were followed, would it reduce risk? If either one of those is zero, then the net outcome is probably zero, unless there’s an audit requirement” to include it.
“The fewer rules there are, the more reasonable it is to expect people to follow them,” Heiser says. “If you want to add something, then take something out.”
While an annual review of security policies is common, especially where compliance rules are involved, some analysts believe the standards and procedures should be reviewed quarterly. “In general, for a large organization the absolute minimum is quarterly, but they should also be reviewed as needed,” Schwartz says. “If they discover a gap due to a change in the threat landscape, or get a new system HR system or move to the cloud, a new mobile environment – all of those events are going to trigger potential changes in policy.”
All new threats should be held up to established security policies to make sure they are addressed at the highest level. If they aren’t, then, “You have to have an executive leadership conversation on what do you want to do on principle” with the security team, legal, audit and compliance to determine the right course of action and then craft a policy, Bernard says. Once the security policy, standards and procedures are cleaned and up to date, make it easy for employees to find quickly, she adds.
One of the first things that James Baird did when he joined the American Cancer Society in October 2015 as vice president of IT security and compliance was to make the organization’s security policy easily accessible and searchable for employees. About 1,800 static PDF pages were replaced with HTML pages hosted on SharePoint. Topics are now easily searchable, and hyperlinks take employees from one policy to any supporting policies, or to a set requirements or guidelines.
When searching the acceptable use of Wi-Fi, for example, an employee will quickly find the policy and a link to list of standards, access points they can have, and brands they can use. “My goal is to give people the tools that they need to inform themselves and to investigate as much or as little as they need to in a policy,” Baird says.
The right balance of security policy and risk tolerance varies greatly with each organization, Heiser says. Having very specific policy goals is the starting point for governance, but there’s no data that proves what that optimal level of policy should be, he adds. “Once [a security policy] has been out there, you can go back and ask, did this have an impact?”