September 3, 2015 By Kevin Beaver 3 min read

Quick, to the point and in writing: The purpose of an information security policy is to set everyone’s expectations by outlining what’s being done or what should be done to protect systems and information within the business. Policies are a convenient solution to today’s security ailments. Or are they?

Ask any executive and it would certainly appear that way. High-level managers often say, “Yes, we have a policy for that.” Auditors will say something similar. It’s commonly, “We have A, B and C policies, and they’re helping us ensure compliance with X, Y and Z regulations.”

Odds are that IT and security admins will say something completely different. I often hear, “I wrote some policies, but no one follows them.” It’s often not until a breach occurs that we realize the folly that most security policies represent.

I suspect that if a root cause analysis were performed on all the known breaches — especially the big ones occurring at large corporations and government agencies — we’d see that policies were documented and relied upon, yet policies failed in the majority, if not all, of the cases. I’ve seen and heard of countless organizations that have security policies for this or that but have never even performed a security assessment, have minimal security controls and have no program for such oversight moving forward.

The Problem With Your Security Policy

Security policies can create a dangerous false sense of security and can end up being used against you in a court of law. Looking at this from the plaintiff’s perspective in the case of a data breach, it won’t take much for lawyers, forensics analysts and expert witnesses to show that due care was indeed not taking place in the enforcement of policies and the ongoing management of security. That’s already happened in some bigger cases, and it’s certainly playing out in others right now. Now that it’s confirmed that the Federal Trade Commision (FTC) has the authority to go after companies due to lax security, this issue could get really big really fast.

Anyone can document anything they want in a policy involving things such as passwords, full-disk encryption for laptops, bring-your-own-device (BYOD) rules, etc. But it literally means nothing when these policies are not enforced, which is often the case. Rather than it being the oft-cited “glitch” causing problems, the breaches we hear about are a breakdown in information security management somewhere along the way.

Don’t get me wrong: I feel for those in charge of information security today. Given the lack of support from management, poor decision-making among users and overall information systems complexity we see today, it’s no doubt one of the most challenging professional jobs of our era, especially given what’s at stake. I don’t envy that role at all.

Talk Is Cheap

Not enough is being said or done about ineffective security policies. It cannot be stressed enough: Policies are not everything. In fact, they’re nothing without substance to back them up. Organizations that have no policies at all yet have otherwise solid information security controls are light-years ahead of the pack.

Who would I want to collect, process and store my sensitive personal information? No doubt the businesses with true security substance rather than mere documentation that’s not being enforced. Think about this from the perspective of your business. Would you feel comfortable with how information is handled if you were a customer? More importantly, are your lawyers willing to defend how things are being run?

We know that talk is cheap in many aspects of business, but I can think of no place where it’s more evident than in information security. We’re seeing this very issue play out in the courts today. It’s time to start unchecking those boxes and do what’s right before a third-party expert or analyst calls it out and you’re forced to act.

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today