Credit: pixelcreatures via Pixabay
Today’s advanced persistent threats, new business technologies and a younger workforce have prompted security budgets to shift from breach prevention to detection and response. Those same forces have also motivated many organizations to take a fresh look at their security policies and guidelines – and for good reason.
By 2018, for instance, 50 percent of organizations in supply chain relationships will use the effectiveness of their counterpart’s security policy to assess the risks in continuing the relationship, according to Gartner. Does your policy align with those of your partners?
The majority of companies have some form of security policy already in place, whether created from scratch or borrowed from myriad templates available through security organizations and vendors. How effective those policies are today is another story. Some 31 percent of companies have a formal security policy for their company, while another 34 percent have an informal security policy that is adopted by various departments in the company, according to a survey of 1,500 software developers worldwide by Evans Data Corp.
The golden rules for writing security policy still apply, such as making sure the process is shared with all stakeholders who will be affected by it, using language that everyone can understand, avoiding rigid policies that might limit business growth, and ensuring the process is pragmatic by testing it out. Just because policies are intended to be evergreen doesn’t mean they can’t become stale, says Jay Heiser, research VP in security and privacy at Gartner. Particularly at the standards levels, one level below policy, guidance may need to be updated for different lines of business, or for jurisdictions that may be driven by different regulatory rules or geographic norms. Security and risk experts offer five reasons why companies should take a fresh look at security policies.
1. Ransomware, DDoS and APTs
The number of ransomware attacks targeting companies increased threefold from January to September 2016 alone, affecting one in every five businesses worldwide, according to Kaspersky Lab. The average distributed denial of service (DDoS) peak attack size increased 26 percent in Q1 2017 compared to the previous quarter, according to Verisign.
In the past, security policies focused on how to protect information. There would be policies associated with data classification and policies associated with how to not share information in a certain way on the network. “Now, because of ransomware and advanced persistent threats (APTs), policies have to focus more on user behavior and on the behavior of the bad guys,” says Eddie Schwartz, chairman of ISACA’s cybersecurity advisory council and executive vice president of cyber services at DarkMatter LLC.
Sign up for CIO Asia eNewsletters.