One of my favorite phrases is “snatching defeat from the jaws of victory.” The slight modification of the old idiom is the perfect way to understand how it’s possible for even the most effective, well-written, well-intentioned, and strategically developed cybersecurity policies to become irrelevant.
In my experience, I’ve seen a company’s management find so many ways to completely neutralize their own cybersecurity policies. For the most part, they involve some level of egotism oftentimes associated with management, the most obvious being the idea that “these policies don’t apply to me.” However, there are many ways, some much less obvious, for management to undermine their company’s own cybersecurity policies.
And, by extension, making their company, their employees, their customers, and themselves less secure.
1) You developed your company’s cybersecurity policies without transparency
When it comes to your company’s cybersecurity, your employees are, simultaneously, your best asset and your biggest threat. Trained well, made aware of the stakes, and made to feel as if they are a valuable part of your company’s security, they will go a long way toward preventing attacks and recovering from breaches faster. It always feels more personal if you’ve got skin in the game.
So when you’re preparing your cybersecurity policies, don’t do so in secret.
The bottom line is that implementing your cybersecurity policies and procedures will dramatically change the way most people use their computers, phones, and network connections. Since most people have gotten used to using their personal devices and computers with little-to-no security, asking them to modify every aspect of how they use them at work will be a significant change. Many will resist, even if they want to help.
So at the very least, make sure your employees feel that their voices have been heard. Whenever you’re planning on writing, editing, or implementing new cybersecurity policies, announce the plan in advance. Ask for suggestions. If you don’t use them, say why. It’s no good to have an amazing cybersecurity policy that your employees won’t follow.
2) Your cybersecurity policies don’t apply to everyone universally
No more “pulling rank” or similar nonsense. Your cybersecurity policies should cover nearly every business-related activity on your company’s computers, tablets, network, WiFi, and phones. They will require your company’s employees to deal with inconvenience and equipment hassles. Most importantly, your cybersecurity policies will require your employees to change their routine.
If you’re asking your employees to do something, telling them it’s the best thing for the company, about the worst thing you can possibly do is let certain people get away with not following them. It sends a signal that 1) you don’t believe the rules apply evenly, and 2) your cybersecurity policies clearly aren’t as important as you’ve claimed. Both are dangerous.
If your employees have to do it, so do you. In fact, make a big show about how you’re doing everything you can to follow your cybersecurity policies. It’s called leadership by example.
Or, at least, leadership by not being an asshole.
3) Your cybersecurity policies are not evenly enforced
Related to the previous entry, but sadly deserving of its own spot on this list based on my experience, is the uneven enforcement of your cybersecurity policies. It’s one thing to exempt someone from compliance. But when a person to whom the rules are supposed to apply breaks them anyway, gets caught, and there are zero repercussions?
Well, that’s a giant neon sign to your employees that there are some people in your company that are effectively above the law. Not only will this type of behavior serve as a demonstration that your cybersecurity policies are unimportant, it’ll reduce the value of any corrective or punitive measures you ultimately decide to use when rules are broken in the future. And who doesn’t like it when their own authority is undermined?
Your other employees will feel slighted and you will have demonstrated that you’re not committed to your cybersecurity policies all at the same time. Remember, if your employees think you don’t take something seriously, they wont either. So give your Cyber Incident Response Manager, and anyone else charged with enforcing your cybersecurity policies, the power they need to do the job right.
4) Your cybersecurity measures are illogical and inconsistent
You know those companies that seem to rely on mostly half-measures? Or that have two fantastic systems that don’t work together, negating any efficiency or benefit? I have, and they leave me shaking my head every time.
Here are some examples:
- A document management system that, to comply with the data protection policy, requires users to save email attachments to the system, rather than a local file, to make sure data is stored only in approved areas. Except the system did not apply if the attachment was accessed on a mobile device.
- A paperless office software system to reduce paper consumption and allow easy mobile access. Except that critical metadata could only be removed by printing the document and scanning it back in.
- A policy limiting access to physical files based on a hierarchy of permissions to prevent access to documents by unauthorized employees. Except that the electronic document system, with only one permission setting, allowed employees to view electronic versions of documents they were not authorized to see physical versions of.
- A policy allowing employees to use either Word or WordPerfect to create documents, so employees could use whichever they were most comfortable with. Except that it meant employees frequently had to access documents in a format they were unfamiliar with.
I once worked at a company that blocked Facebook on the desktop computers through a website content blocker. So I used my iPad, connected through the company’s WiFi.
Your cybersecurity policies’ effectiveness will be measured by how well they promote good behavior and discourage bad . If you prohibit access to something your employees want to access, but leave simple workarounds to evade the prohibition, people will use them.
The same goes for your cybersecurity systems: If your company VPN connection is so slow that it makes work difficult, expect your employees to start doing work-related activities on personal devices not subject to the slow speed. If your antivirus systems bog down your computer systems so your regular business software becomes unusable, don’t be surprised when your employees figure out how to disable it.
One of the biggest problems in cybersecurity right now is that companies struggle to justify its cost while spending an enormous amount on systems that don’t work together. Make sure that both your cybersecurity policies and systems aren’t working against themselves.
5) You haven’t justified your cybersecurity program to your employees
No matter what cybersecurity policies you put in place, there’s one thing you’re going to have to have a lot of, no matter what.
Faith in your employees. That they’re not actively seeking to circumvent your policies, safeguards, content blockers, or whatever, just for their own personal amusement. That they’re not downloading confidential information in ways that might evade your cybersecurity. That they take your company’s health seriously.
So justify your faith.
Make sure your employees know why specific policies are in place. Some things might be easy to understand, and need little explanation. It’s not hard to tell someone that they need to password protect their devices.
Requiring someone to take extra time to make sure all the data they store is in an encrypted format? New rules against saving documents on a computer desktop instead of the document management system? Adding a clear screen policy requiring users to log out of their systems anytime they step away from the screen, even for a minute?
That might take more.
If your employees understand the reasons for these policies, they are much more likely to accept them. Otherwise, you create an environment where your employees not only avoid or outright violate your security policies on a regular basis – they will stop considering it wrong to do so.
6) Your cybersecurity systems invade your employees’ privacy
Your cybersecurity policies include rules concerning mobile devices, network connections, download monitoring, building access, and a lot more that could potentially give you access to a boatload of personal information about your employees. Our cell phones, in particular, have become local repositories for everything that we personally might need or want, including information that extends into the “extremely personal.”
The security software that you require your employees to use in their devices will likely give you access to a ton of information, depending on how it’s set up. Even if you don’t use that technology to be horribly creepy or perverted, there are a lot of ways that you can misuse the information your cybersecurity system gives you that will erode trust between you and your employees, like using a location tracker when they call in sick, monitoring their network access to see who is leaving the office early, reading personal emails sent from the company’s email account, and more.
Your cybersecurity policies are in place for one reason, and one reason only – to secure your company from cyber threats. Using any of those tools for any purpose other than security is an invasion of privacy, a breach of trust, and quite possibly illegal.
7) Cybersecurity training is a low priority
Just like anything difficult, the most effective way to do something is to do it right from the bottom up. Your first line of defense against cyber attacks is the vigilance of your employees.
Vigilance requires awareness. Awareness requires training. Regular training. For everyone. Including you.
“Cyber security awareness is the amalgamation of knowing what to protect and doing something to protect [it].”
And just to add some motivation, according to the CyberEdge Annual Threat Report, “Lack of Awareness Among Employees” has been among the top two reported barriers to establishing effective cybersecurity for four years running (not coincidentally all four years the report has measured the issue).
Failing to properly train your employees about cybersecurity is dangerous for your customers, your company, and your employees themselves. Your systems are full of information about your employees – easily enough to steal their identities – so they should have a vested interest in keeping that data safe.
Part of the problem, admittedly, lies in the training itself. Guess what – training, when done properly, can be interesting and even fun. Training material perceived as “boring” might benefit considerably from a change in the trainer. If you can’t find someone who effectively engages your audience, let me know, and I’ll send you a list of some excellent options.
Make sure to schedule relevant training for your company’s staff more frequently than once a year. Every quarter, at least, should include one mandatory session on cybersecurity. In addition, taking it seriously means C-Suite participation as well! If you routinely exempt yourself, or other managers and supervisors, you are sending a clear message to the rest of your employees that you don’t consider the training to be valuable. And you’re not getting trained!
Your actions are the best reflection of your values. Demonstrate your commitment by participating.
8) You don’t audit your cybersecurity policies (or don’t take the audit seriously)
Among the worst cybersecurity habits I’ve seen in small businesses is assuming that cybersecurity policies, once in place, manage themselves.
No businessperson worth a salt would assume that any other aspect of business can simply run itself. Yet, this attitude towards cybersecurity generally – and cybersecurity policies and procedures in particular – is pervasive. This is not a set-it-and-forget-it system of defenses. It needs attention.
Your cybersecurity policies should include a system for (at least) annual review of the policies themselves. Are there policies that are too restrictive? Does implementation interfere with day-to-day business? Have new options been released since the last update?
If so, update your cybersecurity policies. A regularly scheduled audit is a great way to figure out what works, what doesn’t, and what needs a little adjustment. Involve your employees – see above for why.
Take your audit seriously. It can feel like reinventing the wheel – you spent a ton of time putting these policies together. Updating them, explaining the changes, implement them, and providing new training can feel like a waste. Worse, if you disagree with the audit’s conclusions, it can feel a bit like an attack. The barriers to taking the audit seriously may be significant.
Swallow your pride. If something doesn’t work, change it. If you disagree with the audit’s suggestions, accept the possibility that your idea was impractical, poorly implemented, or simply wrong. Nobody gets everything right the first time.
9) You routinely make major changes to your cybersecurity policies unilaterally and impulsively
Fear is a terrible motivator. But, sadly, it’s probably the most frequent motivator for small businesses when it comes to cybersecurity.
The reason fear is such a terrible motivator is that fear triggers an immediate, emotional response. Not the ideal way to address complex issues.
Fear creates a need to do something, anything, now. A recipe for overreaction.
A recent episode of Madame Secretary found the lead character discussing why she hated the phrase “Something has to be done.” It really means “I don’t know what to do,” but even so, I’m going to take action. So we overreact, we act without thinking, we act without input from others, we act without the information necessary to understand the threat. We just act.
Even though we really don’t know what to do.
A recent study found that 50% of businesses’ cybersecurity purchases were motivated by “well-publicized data breaches.” Fear that what a decision-maker in the business saw on the news.
The result is often the acquisition of systems that primarily address the “flavor of the week” hacking strategy. The new systems – which one report of IT professionals suggests covers as much as 30% of all cybersecurity purchases – are frequently incompatible with, in conflict with, or duplicative of existing systems. They increase costs and complexity (remember, new systems means more training!).
So take a deep breath, then follow your plan. In the long run, it could save your company, your bottom line, your employees, your customers, and your sanity.