One of my favorite phrases is “snatching defeat from the jaws of victory.” The slight modification of the old idiom to reflect an action that transforms guaranteed success into abject failure.
It is also the perfect way to understand how it’s possible for even the most effective, well-written, well-intentioned, and strategically developed cybersecurity policies to become irrelevant.
I’ve seen so many ways a company can completely negate their own cybersecurity. Usually, it involves some level of management errors, the most common being that “these policies don’t apply to me.”
However, there are many ways, some much less obvious, for management to undermine their company’s own cybersecurity policies.
And, by extension, making their company, their employees, their customers, and themselves less secure.
1) You developed your company’s cybersecurity policies without transparency
When it comes to your company’s cybersecurity, your employees are, simultaneously, your best asset and your biggest threat. Trained well, made aware of the stakes, and made to feel as if they are a valuable part of your company’s security, they will help you prevent attacks and recover from breaches faster. It always feels more personal if you’ve got skin in the game.
So don’t prepare your cybersecurity policies in secret.
Implementing your cybersecurity policies and procedures will change the way your employees use their computers, phones, and network connections. Since most people have gotten used to using their personal devices and computers with little-to-no security, asking them to modify every aspect of how they use them at work will be a significant change. Many will resist, even unconsciously.
So make your employees feel that their voices have been heard. Whenever you’re planning on writing, editing, or implementing new cybersecurity policies, announce the plan in advance.
Ask for suggestions. If you don’t use them, say why.
It’s no good to have an amazing cybersecurity policy that your employees won’t follow.
2) Your cybersecurity policies don’t apply to everyone universally
Just so we’re clear, this means you. Or anyone else in a management/supervisory position who believes these policies don’t apply to them.
Your cybersecurity policies should cover nearly every business-related activity on your company’s computers, tablets, network, WiFi, and phones. They will, as a result, likely require you and your employees to change their routine.
If you’re asking your employees to do something, telling them it’s important and necessary, about the worst thing you can possibly do is let certain people get away with not following them. It sends a signal that 1) you don’t believe the rules apply to everyone, and 2) your cybersecurity policies clearly aren’t as important as you’ve claimed. Both are dangerous.
If your employees have to do it, so do you. In fact, make a big show about how you’re changing your practices in order to follow your cybersecurity policies. It’s called leadership by example.
3) Your cybersecurity policies are not evenly enforced
Related to the previous entry but deserving of its own spot on this list is the uneven enforcement of your cybersecurity policies. The previous topic dealt with people who were exempt from the rules. This topic deals with situations when a person to whom the rules are supposed to apply breaks them anyway, gets caught, and there are zero repercussions.
It’s a sign to your employees that there are some people in your company that are above the law. Not only will this demonstrate that your cybersecurity policies are unimportant, it’ll reduce the value of any corrective or punitive measures you use when rules are broken in the future. You’re actually undermining your own authority. Why?
Remember, if your employees think you don’t take something seriously, they won’t either. So give your Cyber Incident Response Manager, and anyone else charged with enforcing your cybersecurity policies, the power they need to do the job right.
Including corrective and punitive enforcement of your new cybersecurity policies.
4) Your cybersecurity measures are illogical and inconsistent
You know those companies that seem to rely on mostly half-measures? Or that have two fantastic systems that don’t work together, negating any efficiency or benefit? I’ve seen plenty.
Here are some examples:
- A document management system that requires users to save email attachments to the system (rather than locally) to make sure data is stored only in approved areas. Except the system did not apply if the email was accessed on a mobile device.
- An office software system intended to reduce paper consumption and allow easy mobile access. Except that critical metadata could only be removed from a document by printing the document and scanning it back in.
- A policy limiting access to physical files based on a hierarchy of permissions to prevent access to documents by unauthorized employees. Except that the electronic document system had no parallel restrictions, so employees could access electronic versions of documents they were not authorized to see physical versions of.
- A policy allowing employees to use either Word or WordPerfect to create documents, based on comfort and personal preference. Except that it meant employees frequently had to access documents in a format they were unfamiliar with.
Your cybersecurity policies’ effectiveness relies on promoting good behavior and discouraging bad behavior. If you prohibit access to something your employees want to access, but leave simple workarounds to evade the prohibition, they will be evaded.
The same goes for cybersecurity. If your company VPN connection is so slow that it makes work difficult, expect your employees to use devices that can evade the VPN. If your antivirus systems bog down your computer systems so your regular business software becomes unusable, don’t be surprised when your employees disable the antivirus.
Avoid the biggest problems by making sure the cybersecurity tools you have actually work together. Spending a bunch of money on two systems that duplicate work – or worse, negate each other’s value – is bad for security AND your bottom line.
5) You haven’t justified your cybersecurity program to your employees
Regardless what kind of manager you are, you’re going to be leaving a lot in the hands of your employees, which takes a lot of faith.
Let them know that you trust them, but also let them know why you’re requiring them to add steps to their workflow. Think about how you treat things that you consider to be “pointless busywork.” You definitely don’t want your employees to think of your cybersecurity that way.
Make sure your employees know why specific policies are in place. Some things might be easy to understand, needing little explanation. It’s not hard to tell someone that they need to password protect their devices.
Requiring someone to take extra time to make sure all the data they store is in an encrypted format? New rules against saving documents on a computer desktop instead of the document management system? Adding a clear screen policy requiring users to log out of their systems anytime they step away from the screen, even for a minute?
That might take more.
If your employees understand the reasons for these policies, they are much more likely to accept them. Otherwise, you create an environment where your employees not only avoid or outright violate your security policies – they will stop considering it wrong to do so.
6) Your cybersecurity systems invade your employees’ privacy
Your cybersecurity policies include rules for mobile devices, network connections, download monitoring, building access, and a lot more. That gives you access to a boatload of personal information about your employees. Cell phones alone have become repositories for our entire personal lives, including information that extends into the “extremely personal.”
The security software that you require your employees to use in their devices will likely give you access to a ton of information, depending on how it’s set up. There are a lot of ways that you can misuse the information your cybersecurity system gives you, like using a location tracker when they call in sick, monitoring network access to see who leaves early, reading personal emails sent from the company’s email account, and more.
And that doesn’t even get into the bad forms of misuse, including sexual harassment and other serious abuses of authority.
Your cybersecurity policies are in place for one reason: to secure your company from cyber threats. Using security policies or tools for any purpose other than security is an invasion of privacy, a breach of trust, and quite possibly illegal.
7) Cybersecurity training is a low priority
Your first line of defense against cyber attacks is the vigilance of your employees.
Vigilance requires awareness. Awareness requires training.
Regular training. For everyone.
“Cyber security awareness is the amalgamation of knowing what to protect and doing something to protect [it].”
According to the CyberEdge Annual Threat Report, “Lack of Awareness Among Employees” has been among the top two reported barriers to establishing effective cybersecurity for four years running (not coincidentally all four years the report has measured the issue).
Effective training can help to correct that problem.
Training, when done properly, can be interesting and even fun. Training material perceived as “boring” might benefit considerably from a change in the trainer. If you can’t find someone who effectively engages your audience, let me know, and I’ll send you a list of some excellent options.
Make sure to schedule relevant training for your company’s staff more frequently than once a year. Every quarter, at least, should include one mandatory session on cybersecurity. In addition, taking it seriously means C-Suite participation as well! If you routinely exempt yourself, or other managers and supervisors, the clear message is that you don’t consider the training to be valuable. And you’re not getting trained!
Your actions are the best reflection of your values. Demonstrate your commitment by participating.
8) You don’t audit your cybersecurity policies (or don’t take the audit seriously)
Among the worst cybersecurity habits I’ve seen in small businesses is assuming that cybersecurity policies, once in place, manage themselves.
You would never assume that any other aspect of business can simply run itself. Yet, this attitude is pervasive concerning cybersecurity. This is not a set-it-and-forget-it system of defenses. It needs attention.
Your cybersecurity policies should include a system for (at least) annual review. Are there policies that are too restrictive? Does implementation interfere with day-to-day business? Have new options been released since the last update?
If so, update your cybersecurity policies. A regularly scheduled audit is a great way to figure out what works, what doesn’t, and what needs a little adjustment. Involve your employees – see above for why.
Take your audit seriously. It can feel tedious. Updating them, explaining the changes, implementing them, and providing new training can feel redundant. Worse, if you disagree with the audit’s conclusions, it can feel a bit like an attack. There are serious and significant barriers to taking the audit seriously; it’s important to understand what you’ll face.
Swallow your pride. If something doesn’t work, change it. If you disagree with the audit’s suggestions, accept the possibility that your idea was impractical, poorly implemented, or simply wrong. Nobody gets everything right the first time.
9) You routinely make major changes to your cybersecurity policies unilaterally and impulsively
Fear is a terrible motivator. But, sadly, it’s probably the most frequent motivator for small businesses when it comes to cybersecurity.
The reason fear is such a terrible motivator is that fear triggers an immediate, emotional response. Not the ideal way to address complex issues.
Fear creates a need to do something, anything, now. A recipe for overreaction.
I’m reminded of a critique of the phrase “something has to be done.” What it really means is “I don’t know what to do, but even so, I’m going to do something.” It describes a situation where we feel action is necessary, but we can’t think of specific action that is logically connected to the problem.
So, we overreact, we act without thinking, we act without input from others, we act without the information necessary to understand the threat. We just act.
Even though we really don’t know what to do.
A recent study found that 50% of businesses’ cybersecurity purchases were motivated by “well-publicized data breaches.” That’s another way of saying “something that the boss saw on the news last night.”
The result is often the acquisition of systems that primarily address the “flavor of the week” hacking strategy. These paranoia-fueled impulse buys… er… new systems – which one report of IT professionals suggests covers as much as 30% of all cybersecurity purchases – are frequently incompatible with, in conflict with, or duplicative of existing systems. They increase costs and complexity (remember, new systems means more training!).
All of this because of fear.
Instead, take a deep breath, then follow your system. Get input from your whole team. Consult with your IT vendor/personnel. Do your research. In the long run, it could save your company, your bottom line, your employees, your customers, and your sanity.