When we get into cybersecurity, one of the first things any organization or business should do is write a cybersecurity policy, a policy that belongs to everyone. Words easy to put on paper, but what do they mean?
So what is a cybersecurity policy? Well, it’s defined in the Gartner IT Glossary as “an organization’s statement of intent, principles, and approaches to effectively manage cybersecurity risk in pursuit of its strategic objectives.”
CyberSmart, which provides training for the UK’s Cyber Essentials program, adds to the definition by saying: “These principles can inform decisions made by senior management or guide employees in their day-to-day activities. Any policy worth its salt should outline what employees should and shouldn’t do, offer guidance on best practices, and advice for decision makers.
The key element of any cybersecurity policy is not the rules defined by the policy, but the framework of the culture within the organization. The World Economic Forum, Global Risks Report 2022, states that 95% of cybersecurity threats people have faced have in some way been caused by human error. This is a factor that many people should think about carefully. It is how this error is handled that affects the impact of these violations. A culture of fear is likely to mean fewer errors are reported, while a no-blame culture is more likely to protect a business or organization, so a policy is a critical document that becomes either an enabler for the company, which is potentially a handicap.
With a focus on businesses, according to the Federation of Small Businesses, a cybersecurity policy should cover many areas, including:
- The measures you have in place to minimize threats.
- What data will be backed up and how you will manage this.
- Best practice processes, such as what you should and shouldn’t do.
- The different responsibilities of your employees.
Your policy may include expectations for the use of social media at work, rules for using email, or guidance for data protection.
It fails to mention a password policy, which highlights a problem because many policies are template-based and not tailored to the needs of a business or organization. Essentially, this is a box-ticking exercise to meet Cyber Essentials program requirements.
Any policy should have a direct link to the required business or organizational outcomes, should be viewed and written as an enabling policy for the business and certainly should not be something for which IT has overall responsibility. The elements of any policy should have a direct reading into the broader risk register, where applicable.
Linking a cybersecurity policy to a broader business risk register has a number of benefits. The first is that, for the board of directors, the risk is clear and that this facilitates all budgetary decisions. However, it also causes security in the field to become an enabling function of the core business.
Chris Phelp MP, Parliamentary Under-Secretary of State (Minister for Technology and Digital Economy) to the UK Government said on 13e June 2022 in the UK’s digital strategy, which:
“As our lives increasingly depend on digital technology, it is essential to ensure that digital systems and services are safe from threats or failures. We place security at the heart of our approach, because we know that a secure digital economy provides the stability needed for continued growth and further strengthens the UK’s position as a science and technology superpower. Without this central element, we risk undermining progress and innovation that distinguishes our digital economy.”
The link between business and a digital economy is clear, and many fail to realize some of the added benefits of a cohesive business strategy. Integrating a cybersecurity strategy could include increased efficiency by ensuring that all elements of a business or organization are working together and pulling in the same direction. If you work on one cohesive plan, inevitable problems can be quickly identified and resolved. When everyone understands what is expected of them and goals are clearly defined, time and resources are managed more effectively. This will ultimately help you achieve your goals and grow.
This will likely lead to better customer service by ensuring that tasks are performed correctly and that every customer receives the same high level of service, thus improving a company’s reputation. Improved efficiency, better customer service in an environment where risks are understood can also lead to a safer workplace if everyone works to the same standards and principles.
This has the real business benefit of reducing the potential costs of any attack. The UK Government’s 2020 Cybersecurity Breach Survey estimated the average costs to be over £3,000 per incident. So having the right procedures in place not only helps prevent a breach in your business, protects a business’s reputation, but also protects your bottom line by avoiding potential costly lawsuits, and protects sensitive data that is essential to comply with the GDPR.
Finally, they list additional benefits like not missing out on sales through broken websites or interrupted transaction chains. There is also the added fact that a strong policy will keep a business current from a cyber threat prevention perspective. One of the keys to success is to review the policy regularly, which will allow for a quicker and less painful recovery if the worst should happen.
Now is the time for organizations and businesses to ensure their cyber policies are fit for purpose in this developing digital age, and fit for purpose means business-focused, not just cyber-focused.
About the Author: Philip Ingram MBE is a former Colonel in British Military Intelligence and is now an international journalist and commentator on all security and cyber issues.
Editor’s note: The views expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.