Published: October 15, 2021
Cybersecurity attacks are constant, becoming more sophisticated and more deliberate. They pose a significant risk to any business that stores confidential data or consumer personal information. Large-scale data breaches make headlines nearly every day, leaving many consumers wondering why these billion-dollar companies are unable to prevent cyberattacks. The lack of formal policies, along with corresponding controls to enforce them, are contributing to high-profile cybersecurity events. While security breaches at Fortune 500 companies grab headlines, it is actually smaller companies that are targeted much more often.
It is rarely the technology to blame for the large consumer data breaches we read about. In almost every major case of stolen personal information or credit card numbers, the root cause turns out to be a failure of business process. Due to resource constraints, IT departments end up running hardware and software that is well out of date. It’s not unusual to see critical information stored on systems that are deemed “end-of-life” by the manufacturer. When that’s the case, security patches are no longer being developed, and that systems become a target.
Having written policies in place, signed by senior management that explicitly require critical systems to be up-to-date is paramount to creating a culture where cyber security is taken seriously. Then, of course, there must be a control in place to ensure each policy is followed. These controls typically fall on the network administration staff or cyber security personnel.
It is true that human error is responsible for many cybersecurity events; but, employees unfairly get thrown under the bus too often. Is it the network admin’s fault when an out-of-date instance of Windows Server 2008 is still in production? Certainly not, if a project to replace it was not approved! When a user clicks on a compromised link, ultimately leading to an out-of-date system being exploited, is it that employee's fault? No, not if that employee has never received security awareness training, not if the inbound email wasn’t screened properly, and certainly not if their account was over-permissioned for their roll on the network. While user error can be a risk, employees can also be an organization’s last line of defense, if given the proper tools and education, and are much less likely to contribute to a cyber event if there are strong policies and controls in place.
Cybersecurity policies serve as a rulebook on an organization’s network environment. The policies encompass everything from email restrictions, use of corporate computers and phones, appropriate access to systems and data, and much more. Policies and protocols set guidelines for behavior to help protect against cyber threats, along with the remedial steps on how to respond if a cyber event should take place.
There is no silver bullet for achieving good cybersecurity. It’s critical to have robust controls, procedures & business processes that tie back to the written cyber security policies. By implementing thoughtful policies and realistic procedures, combined with employee training, cybercriminals will skip your organization and look for easier targets to attack.