Harnessing the Human Factor as a Strategic Asset
This is Part II in a series focused on how to transform your workforce into a cybersecurity asset rather than a liability. Click here to read Part I.
Part II: Policy
To err is human; to call the IT department as soon as mistakes occur, divine!
In case you missed our first part of this series, click here to find out why we sometimes make bad decisions when it comes to IT security. In this second part of the series, we’ll discuss organizational policies to help employees consistently make better choices.
As a reminder, the cost of data breaches attributed to the human error or negligence continues to rise, with average losses per event currently estimated at $13.9 million. Unsurprisingly, email and other collaboration tools remain the most exploited entry points for attackers.
Customize your cybersecurity policy
Every organization is different, and as such, policies must be tailored to their specific risks, needs, and existing cultural norms in order to be effective. In the final part of this series, we’ll take a deeper dive into how organizations can drive cultural change around data security, but for this portion of the program, let’s first acknowledge that there is no one-size-fits-all policy solution.
Understanding an organization’s unique cybersecurity risk landscape is the first step in developing a successful policy. This includes assessing your most likely threats and regulatory requirements, as well as the types of data you generate and hold onto – and where and how that data is stored.
Baseline fundamentals
Despite variations in culture and risk, there are some critical fundamentals for any cybersecurity policy.
- Password hygiene: Clear rules around how to create and store strong, unique passwords, and enforcing multi-factor authentication.
- Incident response: Defined procedures that employees should follow if/when they notice any suspicious activity or indications that a breach may have occurred, ensuring timely reporting and mitigation.
- Data handling and protection: Guidelines for classifying, storing, sharing, and disposing of sensitive data securely and in alignment with compliance mandates. This includes mandatory device locking, encryption, and prohibiting use of unsecured public Wi-Fi without VPN.
- Device security: Protocols for using both company and personal devices safely, including encryption, secure connections, software updates, and immediate reporting of lost or stolen devices.
Continuous, adaptive learning 
Cybersecurity threats evolve rapidly, so policies must become living documents. By regularly reviewing and updating policies with input from various teams, and then translating changes into practice, you not only encourage employees to trust the process, but you help maintain compliance by keeping policies relevant and actionable.
The foundation of any cybersecurity policy should be regular, engaging, and role-specific training, including interactive exercises around realistic attack scenarios. Employees must understand the types of cyber threats they face and be trained to recognize and respond to them, knowing precisely their roles if an attack occurs.
In our third and final article for this series, we’ll tackle how to integrate your cybersecurity policies with your organization’s cultural norms.
