5 reasons to take a fresh look at your security policy

Evolving ransomware and DDoS attacks, new technology such as IoT, and changing user behavior are all good reasons to revise your security policy.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

Today’s advanced persistent threats, new business technologies and a younger workforce have prompted security budgets to shift from breach prevention to detection and response. Those same forces have also motivated many organizations to take a fresh look at their security policies and guidelines – and for good reason.

By 2018, for instance, 50 percent of organizations in supply chain relationships will use the effectiveness of their counterpart’s security policy to assess the risks in continuing the relationship, according to Gartner. Does your policy align with those of your partners?

The majority of companies have some form of security policy already in place, whether created from scratch or borrowed from myriad templates available through security organizations and vendors. How effective those policies are today is another story. Some 31 percent of companies have a formal security policy for their company, while another 34 percent have an informal security policy that is adopted by various departments in the company, according to a survey of 1,500 software developers worldwide by Evans Data Corp.

The golden rules for writing security policy still apply, such as making sure the process is shared with all stakeholders who will be affected by it, using language that everyone can understand, avoiding rigid policies that might limit business growth, and ensuring the process is pragmatic by testing it out. Just because policies are intended to be evergreen doesn’t mean they can’t become stale, says Jay Heiser, research VP in security and privacy at Gartner. Particularly at the standards levels, one level below policy, guidance may need to be updated for different lines of business, or for jurisdictions that may be driven by different regulatory rules or geographic norms.  Security and risk experts offer five reasons why companies should take a fresh look at security policies.

1. Ransomware, DDoS and APTs

The number of ransomware attacks targeting companies increased threefold from January to September 2016 alone, affecting one in every five businesses worldwide, according to Kaspersky Lab. The average distributed denial of service (DDoS) peak attack size increased 26 percent in Q1 2017 compared to the previous quarter, according to Verisign.

In the past, security policies focused on how to protect information. There would be policies associated with data classification and policies associated with how to not share information in a certain way on the network. “Now, because of ransomware and advanced persistent threats (APTs), policies have to focus more on user behavior and on the behavior of the bad guys,” says Eddie Schwartz, chairman of ISACA’s cybersecurity advisory council and executive vice president of cyber services at DarkMatter LLC.

[Related: Security policy samples, templates and tools]

While a security policy should be “fairly stalwart and stable” to withstand those threats, some standards and individual procedures written for how to deal with individual threats may have to be updated more frequently as the threat environment changes, Bernard says Julie Bernard, principal in the cyber risk services practice at Deloitte in Charlotte, N.C..

2. Cloud, IoT blockchain and other new technology

Next-generation tools, such as the Internet of Things (IoT) in manufacturing or blockchain in financial services, are driving changes to security policies. “Policy has to keep up with the dynamic environment you’re in,” says Bernard. “If your company is going to cloud, tech people are worried about uptime and security, but what about the policies that go along with it? Can I share information with one of my key vendors through a cloud app? If so, which one? And how do you facilitate that, which gets into standards questions,” Bernard explains.

“You could have a policy of ‘thou shall not share,’ but unless you have the technical ability to block that, people are still going to try to get their work done” and do it anyway, she adds.

To continue reading this article register now