The Importance of IT Policies and Procedures

We talk all the time and hear in the news all the time about recent attacks that take place. Whether it is stolen credit card data or the latest strain of Ransomware that hits the market, most of the news that we hear has to do with bad actors stealing information from the outside. 

But what about the folks on the inside? I am not talking about Social Engineering where employees are "tested" to see what information they will provide or what links they will click on. These instances come down to a lack of training and in most cases, employees just "going with the flow" and not questioning anything. That is different. This post is addressing policies and procedures to protect your data from both accidental leakage as well as intentional exposure. 

Policies and procedures are two of the least popular words out there today, especially when we are talking about IT Security. There are many reasons why IT Security policies and procedures are so important, which was the topic of my blog post in September of last year which you can find here. While that same thought process (the importance of IT Security Policies and Procedures) still holds true, today I want to focus in on three different types of insiders that every company needs to be aware of:

Intentional - These are the folks that steal sensitive information with a purpose in mind. Some of those purposes can be to sell the information, leak it to a competitor, or a number of other reasons. The challenge with this specific individual is that it combines the desire to do ill will with the actual act of doing ill will.

Forgetful - Two good words for these folks might be negligent or careless. We all have that person we work with that doesn't follow the policies and procedures put in place by the organization. In some cases, these co-workers of ours try to avoid the policies. These people are not malicious in nature, they are more of the mindset of taking the path of least resistance, and policies and procedures create a path with resistance. 

Accidental - You might be asking what the difference is between the "forgetful" person and the "accidental" person. Honestly, the main difference here is intent. I don't mean that the forgetful person has ill intent, rather, they are trying to take the easy route. The accidental person follows the policies and procedures, but sometimes accidents happen. Maybe this is leaving your computer unlocked and someone else uses it. Perhaps this is doing work at Starbucks over public wi-fi. The accidental person is not doing these things to cause harm, they are accidental or part of the "it can't happen to me" phenomenon. 

Now that we know who the players are you can see how policies and procedures can help. The answer is building a culture of security. On the surface that seems like a terrible answer but it is truthful. What I mean by this is taking the time to explain why these policies and procedures are important. Why do users have to change their passwords every 90 days? Why do they have to ensure they use a VPN for remote access? People, for the most part, want to be led and want to understand why these things are in place. Simple explanations can go a long way to minimize confusion and questions.  This also empowers employees to feel engaged as a part of the team. If you just take a stack of 30 IT Security Policies and cram them down their throat with no explanation, you may end up with a bunch of "forgetful" employees who take the path of least resistance.