Earlier this week, CompTIA released this interesting little statistic: 55 percent of businesses have a comprehensive, written IT security policy.
Think about that for a moment. The statistic means that roughly one-half of all other organizations do not have a security policy in place.
October is National Cybersecurity Awareness month, a celebration conceived nearly a decade ago to elevate the level of understanding of Internet and computer security threats. The idea behind this awareness month is raising end-user awareness so that ordinary computer owners and business employees will make better choices when online.
Here’s the truth (as any security pro knows): the weakest link in the security chain is the average user.
Ordinary people have no concept of the function of a firewall, intrusion prevention systems and encryption. They gleefully click on every attachment and URL that floats into their email in-box. And they will randomly hit any website in pursuit of the latest Lindsay Lohan dirt or Tea Party rally directions. And there’s nothing wrong with that. In fact, it’s no different than the average driver who knows nothing about fuel injection, power steering or anti-lock braking systems. The only thing a driver knows is that he or she can drive.
End-users famously hate security policies because those are the documents of "no". No, you may not surf for porn at work. No, you may not do your Christmas shopping from the office. No, you may not download unauthorized, unlicensed applications. No, you may not email customer Social Security numbers to your family and friends. Part of the reason many businesses do not have a security policy is they are too restrictive and too difficult to enforce.
The real purpose of a properly written security policy is not to specify what users cannot do with their work machines, but rather how an organization should respond when they suffer (and every business will eventually) a security breach.
A security policy is the documentation of an organization’s assets, resources and procedures. It leaves no reason for second guessing how a security team should react to a hacking incident, clean up a virus infection or deal with a troubling employee. In enumerating assets, the policy will specify when an organization should call outside contractors (i.e. security pros and solution providers), what level access third-parties should be given, and level of expectations for remediation. And, the policy will specify how much the organization should disclose about the breach to employees, partners and customers.
Going back to my car analogy, here’s a quiz: What are brakes for in a car? Most people say brakes are for stopping. The truth: Brakes allow you to drive faster. You would never dream of hitting the gas if you didn’t have brakes to slow you down. The same is true with IT: You have security, so you can do more on the Internet with a reasonable degree of safety.
The good news is 55 percent of organizations have a security policy, but it’s reasonable to think that many of those policies are not routinely up to date. The volume of non-existent, out-of-date and inadequate security policies is a huge opportunity for security solution providers. Rather than selling a product, solution providers can supply the expertise in crafting policies that keep an organization reasonable safe from common security risks and threats.
Security guru Bruce Schneier is famous for saying, "Security is a process, not a product." He’s right, and National Cybersecurity Awareness Month is a perfect time for solution providers to engage with their customers on the process – and policy – of security and not just the products.