Challenges to an effective organisation-wide cyber security strategy (and policy)

Cyber security is critical to organisations – large and small. Information and cyber security strategies and policies have the primary aim of keeping an organisation safe, including data, digital touchpoints and all the involved stakeholders. Creating effective cyber security strategies is not a straightforward feat.

The rapid pace technology advances at, poses new threats every single day. These strategies need to be implemented across a multi-user base which makes the implementation and enforcement thereof more complex. Challenges to the cyber security strategy are both internal and external in nature. Below we shall be touching upon the main challenges and issues.

Resistance to comply

Designing a cyber and/or information security policy is achievable, but at times challenges arise when it comes to employees complying with the policy. Employees are a major threat to the organisation’s security. Usually non-compliance is brought about by effects on productivity levels, lack of consideration, ‘anything goes’ , uncontrolled behaviour and forgetfulness. The right actions should be exercised to abolish the latter behaviour and have the full workforce adhere to the policy in practice.

When employees are not involved in the decision-making process, they tend to distrust policies. When policies are too strong or too rigid, a sense of employee distrust will prevail. Best practice is to spend some time assessing and analysing the challenge/s before designing the cyber security strategy and the relevant policy. When enforcing the policy, spend special attention to respect the privacy of those involved – even during surveillance.

Lack of education and awareness

An organisation can have the best designed policy, but if employees are not well trained it will leave no impact. Training sessions are to be held with both new joiners and existing experienced employees to educate them about cyber threats, cyber security best practices and possible repercussions in case of a security breach.

Understanding the risks the organisation can be exposed to, will help adhere to the policy. Clearly communicating and explaining the various sections and aspects of the policy are crucial to its success. In case of regulated business, cyber awareness training is a licence holder requisite.

In cases where the policy creates a false sense of security – this could be much more harmful than a breach itself. The policy needs to be robust. Enforcement should be ongoing.

No Policy updating

Malicious actors are constantly investing in improving their methods, tools (such as scripts) and malware. New threats emerge with the passing of every day. The policy is not static. The rapidly evolving security threats pose a continuous crippling challenge. The CISO together with his team should include updates to reflect the dangers and risks the organisation is faced with.

Any updates and add-ons to the policy should always be communicated and explained to the employees. When the workforce gains the insight into the challenges the organisation is faced with vis-a-vis cybersecurity, the task is (usually) half-done.

In organisations, cyber security governance should be given the right level of importance, at par with compliance, operations and finance. Cyber security strategies and the respective policies should cover the following five functions: identification, protection, detection, response and recovery.

Protection is multifaceted, spanning from protection software such as firewalls, malware and web proxy protection, anti-spam software, anti-virus software and anti-phishing software, to regular pen tests of systems and applications and phishing simulations.

The cost of a breach can be significant involving loss of data, reputational damage and the cost of rebuilding systems and confidence in employees, clients and suppliers. Any protective software needs to be regularly maintained with upgrades of critical fixes and updates. An ongoing contract with a reputable cyber security firm is recommended, so that they bring an external perspective and a strong level of expertise to the table – these will add insight and experience to harden systems and train employees to up the organisation’s defences. Keeping full documentation of all the above mentioned systems is a must.

What to include in the Cyber Security Policy

Formal risk assessment should help develop cyber security policies, that in turn ensure that systems and data is not misused and that anyone within and around the company sticks to best practices of cyber security. Policies are to be continually reviewed and updated – they are living documents.

Included in the cyber security policies one should find data management, user account management (including authority levels) and IT security and risk management (and mitigation). Following is a list of commonly included security policies: system use policy, email use policy, Internet use policy, remote access policy and bring your own device (BYOD) policy.

Let’s explore how we can be your cyber security partner. Set an exploratory meeting.