Nobody enjoys creating policy. It’s complicated, detail-oriented work and just asking for endless debates over minutiae. And the results of the arduous policy-making process are often overlooked or outright ignored. Sometimes it feels like people are going to do whatever they want to do, regardless of your well-crafted, comprehensive policy.
So why bother going to the effort of writing an IT security policy for your business? Surely, there are better ways to spend your time.
Well, for starters, consider these sobering figures:
- The average cost of a data breach has climbed to $4 million per incident in 2016, according to a Ponemon Institute study sponsored by IBM.
- The average cost for each record lost or stolen, according to the same study, has climbed to $158.
- A study by the Association of Corporate Counsel found that employee error is, by far, the leading cause of data breaches. Third on the list is phishing attacks, which, as we’ve described before, also take advantage of employee carelessness.
- The same study reported that “fewer than half of in-house counsel reported that mandatory training exists at their companies.”
- Another survey found that one in three companies lacks an information security policy.
To sum up: Unless your business has millions of dollars to spare, a single data breach — which is becoming increasingly likely — could cripple or even shut down your company. Furthermore, you need to be prepared to prevent and respond to a data breach.
This is why, no matter how painful it is to create one, you need an IT security policy. And, you need one with teeth.
What Is an IT Security Policy?
Having an IT security policy — or information security policy — is an important part of your security strategy. It is a written document outlining your organization’s plan for protecting your data and the information of your partners and customers. It describes the systems in place, both hardware and software, the plans for keeping them current and it can include the actions required to alert personnel when a suspected breach occurs.
Here a few key elements we recommend including in your IT security policy. (And please note, this list is far from complete. The elements of your IT security policy will depend largely on how your business operates and uses and stores data.)
- Access controls. Who will have access to your data? And how much access? How and where will they be authorized to access it?
- Anti-malware protection. How will your company fight against the scourge of malware and viruses? What tools will you use to scan for malware and how will they be kept up to date? What guidelines must your users follow to avoid downloading malware from unexpected sources?
- Compliance. Sometimes, information security isn’t just a good idea, it’s required by law or your industry’s standards — like HIPAA, for example. With what regulations must your business comply, and what methods have you implemented to comply with them?
- Acceptable use. How are your users allowed to use your network and your company-issued hardware and software? Can you find a balance between their need for flexibility to be productive and putting your data security at unnecessary risk?
- Response. If a data breach does occur, how will your team respond to it? What controls are in place to mitigate the damage? How will you report on the incident and document it so you learn from it and prevent it from happening again?
- Education and accountability. How will you spread the word about your security policy, make sure your organization understands it, and most importantly, follows it?
Listen to the Experts
IT security experts may not always agree on the best ways to keep your data safe, but one thing they all agree on is that an IT security policy is a necessary first step.
Digital Guardian asked 30 leading experts, “What are the biggest mistakes companies make with data security?” For many of them, it is the lack of a security policy.
“Many companies lack the processes, policies, and standards for protecting data throughout its lifecycle,” one expert opined. “...The companies which fail to think through the long term implications of data leave themselves open to security incidents and breaches.”
Security policy also took center stage at a recent panel discussion hosted by Intel Security and Enterprise Innovation in Kuala Lumpur, Malaysia.
“[An IT security policy] serves as a guideline on how you should work, how to minimize risks. If you don’t have a security policy, you need a standard operating procedure that will help your business run smoothly so that if something goes wrong, you know what to do,” one panelist said.
So how do you go about creating an IT security policy that is both enforceable and aligned with your organization’s business goals? Stay tuned. We’ll take on this challenge in our next blog post.
Does your business have an IT security policy? Why or why not? And if you do, what’s included? Share your approach in the comments section below.