Are cybersecurity policies valuable or just stacks of paper?

Security policies and security awareness go hand in hand.  Frankly, a policy is worthless if it sits in someone’s desk.  Such policies only serve to enhance the ego of those who created it.  Policies find value when they are understood, adhered to, and enforced.  This only works if employees are trained on the policy.  Three main components of policy training should be performed.

  1. Employees must be made aware of the policy.
  2. Explain the rationale for the policy and how it impacts employees.
  3. Establish accountability and consequences for non-compliance.

A study by the Ponemon Institute found that 58 percent of those surveyed said their employer did not provide adequate security awareness training.  The study went on to cite three reasons for why employees are ignoring policies:

  1. Greater employee mobility.
  2. Rapid changes in technology and a lack of corporate adaptability to new technology.
  3. Pressure to do more with fewer resources.

Policies are required by many regulations and they are beneficial to companies because they express corporate expectations of behavior.  However, companies must train employees on policies and have sanctions for policy violations.  There should be methods to evaluate policy compliance and employees should be held accountable for adherence to policies so that policies effectively guide organizational behavior.

Ponemon research identified the statistics on insecure employee practices:

Downloading data onto unsecured mobile devices61%
Sharing passwords47%
Losing data-bearing devices43%
Turning off their mobile devices’ security tools21%
Using web-based personal email in the office52%
Downloading Internet software onto an employer’s devices53%
Engaging in online social networking while in the workplace31%

Some of these activities, such as sharing passwords, are obviously a bad practice.  However, others may be completely acceptable when performed according to organizational guidelines.  For example, is social media use to promote the company’s services and interact with customers, or are employees just reading items in their feed from family and friends?  These are essential items that should be addressed through policy.

Companies that truly want to get a handle on data security must not neglect the governance aspect of cybersecurity.  I like to say that cybersecurity is made up of people, policies, and technology.  An effective cybersecurity strategy will need to address all three.

This article was sponsored by TCDI, a cybersecurity, computer forensics, and eDiscovery company.



About The Author


Eric Vanderburg

Eric Vanderburg is an author, thought leader, and consultant. He serves as the Vice President of Cybersecurity at TCDI and Vice Chairman of the board at TechMin. He is best known for his insight on cybersecurity, privacy, data protection, and storage. Eric is a continual learner who has earned over 40 technology and security certifications. He has a strong desire to share technology insights with the community. Eric is the author of several books and he frequently writes articles for magazines, journals, and other publications.

Leave a Reply