Andrew Tsonchev, Director of Technology, Darktrace Industrial, discusses the role internal security policies play in making the life of a security officer easier and what businesses can do to ensure that they are enforced in a way that keeps employees happy and engaged.
Despite the data breaches plaguing the headlines, security teams across the globe struggle to enforce the policies they put in place. I’ve met with hundreds of security officers over the years working in a variety of industries, all of whom have put in blood, sweat and tears trying to ensure the cybersafety of their organisation. But their efforts mean nothing at all when they are powerless to apply the policies they create.
Whether incidents involving rogue IT staff or other violations, exasperated security teams are faced with a difficult task and can’t be left with sole responsibility for enforcement. After all, policies take time to update, which puts extra strain on already stretched personnel. So what role do these policies play in making the life of a security officer easier and what can businesses do to ensure that they are enforced in a way that keeps employees happy and engaged?
What’s the point?
Widely accepted as a best practice among cybersecurity professionals, internal security policies are a critical element of a strategic and proactive cybersecurity programme. Employees not on the security or IT teams possess limited knowledge of the cybersecurity challenges facing corporations and the risks their actions may pose to the company. Therefore, it’s imperative that businesses educate their employees about the growing cyberthreat to reduce the risk that they fall victim to an attack.
However, policies still don’t prevent mistakes and we can’t expect a document or quarterly security training to change everyone’s bad habits or prevent employees from ever falling for a phishing attack. We have to leave room for human error. By limiting what applications employees can use, laying out protocols for connecting to non-corporate Wi-Fi networks and instructing employees on the potential risks of rogue USB devices, companies can reduce the number of employees involved in these behaviours, thereby reducing the risks created by these activities.
Balancing enforcement and business productivity
At this point, it seems a significant problem is that many employees don’t fear breaking policies. When they aren’t enforced and the consequences of defying them have not been communicated, what is there to fear? However, no policy has ever been made to be broken and with increasingly fewer people following the restrictions and regulations, it is only becoming more complicated or costly to enforce them. On the flip side, it’s possible that it could be security teams who are complacent when it comes to enforcement.
A set of policies might be put in place to appease executives or board members but an IT team not supportive of the initiative could have no actual intention of implementing them.
Another possibility is that inconsistencies in enforcement create a situation where no enforcement seems like a better decision. Imagine a situation where one employee was written up for using a non-approved cloud storage platform but he/she knows that numerous other employees are also using it and aren’t being punished. This would serve only to create resentment towards the security team and would do little to dissuade the employee from using non-approved software and services in the future.
Finally, it could be the complexity of modern networks posing a challenge. Most employees have multiple corporate devices, cloud and SaaS applications create more areas of the network that need monitoring and BYOD further expands the attack surface. While not impossible, it may be too challenging and complex for security teams to enforce these policies on top of their other responsibilities and without affecting business productivity.
Divide and conquer the threat landscape
One of the greatest successes of effective policies and effective security teams is that they make security a company-wide responsibility. Security teams need the ability to enforce policies when necessary but they also can’t spend all their time chasing down employees breaking the rules. That’s why it’s critical to do two things: ensure you have a way to easily monitor employee activity and shift responsibility for the company’s security into the hands of every employee and team.
You can’t enforce what you’re not aware of and while some might raise concerns over privacy, there are sophisticated security tools that can provide visibility into employee activity without raising privacy concerns. New tools powered by Artificial Intelligence are able to identify suspicious activity without diving into the contents of emails or documents but instead by mapping out normal behaviour for every employee.
Visibility can help ensure that policies are enforced equally and the AI is able to quickly respond with an autonomous action when policies are being broken – ultimately ensuring that senior staff, whose actions can have the largest impact, are also held accountable.
One CISO I spoke to recently told me that the biggest benefit of gaining visibility into his network was the open lines of communication it had created between employees and his security team. He said now employees know that someone on the security team is monitoring their network behaviour. Upon breaking policy, they’ll expect to get an email from his team explaining the risks and asking for their support in the future. He described it as helping him to create a ‘culture of compliance’ within his organisation.
When the responsibility for cybersecurity is shared by employees outside the security team, policies that were once perceived as a nuisance can evolve into something respected by all. Showing employees the consequences of their actions and holding them responsible can bring to light their role in ensuring the company is secure. In doing so, security policies will no longer be thought of as rules that were made to be broken and ensure an organisation is more protected.