<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">
Matt Kozloski

By: Matt Kozloski on October 18th, 2016

Print/Save as PDF

7 Characteristics of a Successful Cybersecurity Policy

Cybersecurity

7 Characteristics of a Successful Cybersecurity Policy_blog imageHow well-developed is your company's cybersecurity policy? Does it apply equally well to every area in which you do business, providing consistent protection from both interior and exterior threats without hindering productivity? How quickly can you recover from a data disaster? Cybersecurity can seem intimidating at first, but there are steps you can take to reduce your exposure, keeping in mind that it is an ongoing process.


We're proud to offer an lightweight way to understand the potential cost of a program. Get your custom cybersecurity program budget range here.

Estimate My Cybersecurity Budget Range


Cyber criminals are endlessly innovative and the threats they represent change constantly, so it is important to keep your security practice evolving in order to combat these threats.

Bringing in experts can give your company an enormous advantage. When it comes to cybersecurity, economy of scale works wonders on the efficiency of industry-specific policies, since sector-wide patterns and statistics can be leveraged to create robust, flexible defense infrastructure. Plus, you gain the benefit of experience—there is no need to learn from your mistakes when you can learn from those of others. When millions of dollars in damages could potentially be on the line, those who invest in the right preparation beforehand consistently come out on top.

So what does an effective cybersecurity policy look like? The short answer is that it depends. Many of the details will be specific to your industry, but there are seven main points that all successful policies share. They are as follows:

#1. It's Usable

The first and most important thing about your policy is that it must work. While this may seem like a given, you'd be surprised how many otherwise-successful corporate cybersecurity policies hinder performance more than they help. A usable cybersecurity policy is one that is powerful enough to block unauthorized network intruders, but permissive enough to let your employees and business partners use the information they need in a streamlined way.

A usable cybersecurity policy should be easy to understand. This ensures that every single employee in the company, from the CEO to the mailroom intern, fully understands what threats are being addressed and how they are playing their part. Usable cybersecurity policies can only take form when every member of the company shares responsibility for maintaining security—a chain is only as strong as its weakest link—and you should assume that cybercriminals will eventually find that link.

#2. It Evolves Over Time

What kept sensitive data secure in 2014 will not keep it secure in 2015, and what worked in 2015 may not address the most pertinent security needs of 2016. Cybercriminal behavior changes over time, and entire criminal industries have developed because of the lack of adaptability in corporate information security culture. Since the bad guys can adapt to changing conditions faster and more effectively than ever before, the only way to address the threats they pose is to be just as adaptive.

Your cybersecurity policy should have a cyclical update period of between six to twelve months. At that point, your company's cybersecurity team would get together to address any new issues that have arisen. The policy must be reviewed, adjusted and approved before being implemented. This is the perfect time to hire an outside cybersecurity consultant that can point out weaknesses and suggest ways to remediate them.

Don't forget to keep a record of past cybersecurity policies. Each revision should be easily retrievable so that you can revise, perform audits and initiate personnel changes smoothly.

#3. It Accounts for Human Error

We're all human and we all make mistakes. This is exactly why most of the heavy work in your cybersecurity infrastructure should be automated. The more you can automate, the less room you give employees, vendors, suppliers and distributors to make mistakes. Although mistakes can occur even within this context, a flexible and well-adjusted cybersecurity policy will provide the framework necessary to undo errors or quarantine them when needed.


What kind of errors are we talking about? There are plenty: Employees might send sensitive documents through unsecured email accounts. Others might write down passwords on sticky notes in order to not forget them. If your company is in the sights of a cybercriminal, all it takes is a single moment of inattention, an employee opening an email attachment from an untrusted source, and your system could be compromised. When this happens, you want to have protocols in place that limit the amount of damage that can be done while providing means of closing the information gap and keeping your data as safe as possible.

#4. It's Standardized & Followed By All

Standardization is an important element of a successful cybersecurity policy because it ensures that the perimeter you build has no weak points or loose ends. This helps usability as well, since standardization means that different members of your team still adhere to the same rules when it comes to handling company data. When everyone in your office uses computers to work, it no longer matters what department they're in or what access they have—an entrance into the system is an entrance into the system.

Each and every member of your team needs to understand your policy and be responsible for enforcing it. Your policy must include consequences for noncompliance and an oversight team that enforces these consequences. That team needs to be deeply aware of cybersecurity trends not just in your industry, but throughout every level of the company.

#5. It's Multidisciplinary

With various threat vectors looming in each separate department, it only makes sense that your cybersecurity defense should be cross discipline. This means your cybersecurity team needs to work together, bridging senior management needs with stakeholder concerns and relying on the expertise of those who know how their departments work.

When you have a robust, standardized cybersecurity policy, it applies equally well to the mechanics of your finance department as it does to research and development, or corporate leadership. The policy is essentially designed to function within these contexts, providing a streamlined framework for authorized data access and communication. To do this, your entire organization should play a part in drafting the policy, assuring that everyone's concerns are adequately met.

#6. It Plans for Exceptions

In an ideal world, there would be no need to change policy—no exceptions to the rules. However, we don't live in an ideal world and when it comes to frequently updated rule sets that need to be flexible and adaptive, exceptions can become the rule. In drafting your cybersecurity policy, your business units may not have covered all the bases or thought far enough ahead to meet all their needs. This means you must be prepared to offer a standardized exception process that is documented, accountable and well-organized.

#7. It Explains How to Handle Incidents

Even if you draft a sound cybersecurity policy, covering all of your company’s business functions, it might not be enough. As the old military adage goes, "No battle plan survives contact with the enemy." Vulnerabilities may be discovered, sensitive data might be exposed and you may have to quarantine certain elements of your network in order to keep your business safe. You'll need decisive, responsive and reliable solutions to a variety of possible threats and incidents.

See this article for more information on what kinds of cybersecurity threats exist and how to handle each one. Ransomware, in particular, is a type of malware that can disable your entire business indefinitely and cause tremendous damage if you're unprepared for it. With the right procedures in place, you'll have a smoother path to recovery.

Want to understand the effectiveness of your cybersecurity program (and get solid recommendations from certified security professionals)? Sign up for our no-cost security study to uncover gaps before anyone else does.

New Call-to-action

 

About Matt Kozloski

Matt is an IT industry veteran and well-versed in professional services. He is the former leader of the CT VMUG. VCDX # 194, CISSP # 526947.