Building comprehensive cybersecurity policies

February 6, 2020  |  Devin Morrissey

cybersecurity policy being built

Image Source: Photo by freestocks.org on Unsplash

An independent guest blogger wrote this blog.

When you think of cybersecurity, what’s the first thing to come to mind? Most of the time, it might be your business’s IT team, who run around worrying about updates, threats, and computing capacity. The reality is that cybersecurity isn’t just the IT department’s concern — it’s everyone’s.

Research suggests that cybercriminals will steal 33 billion records in the year 2023, and half of all global data breaches will occur in the U.S. If you want a hope of a stopping them from stealing from your business, then you need all hands on deck — from both your administrative team to the sales team to the C-suite.

Why is building a comprehensive cybersecurity policy with features that cover everyone and their devices so important? Because everyone (and their devices) can be a threat. Here’s what you need to know about strengthening your cybersecurity as we head into the new decade.

Why ‘comprehensive’ includes everyone at work

Comprehensive cybersecurity practices usually include items like:

  • Threat risk analysis
  • System vulnerability analysis
  • Impact assessments
  • Security environment analysis

But, to be totally effective, these need to consider not only the high-value and high-risk processes and procedures but everything in between. Why? Because while it’s true that your security is only as good as your software, you also need to limit the extent to which you expose those systems to threats.

In today’s hyper-connected world, there are millions of opportunities to bare your security infrastructure to the world. Two of the biggest threats actually come down to your employees. First, they now complete the vast majority of their work online, which means both internet security and access are critical to your core processes. As more and more of your work happens in the cloud, you simultaneously create more vulnerabilities.

Second, your employees also carry more internet-connected devices than ever — and they probably access company data on them. The cybersecurity threats created by the Internet of Things (IoT) are stunning: one survey found that 54% of consumers own at least four IoT devices, but only 14% say they know how to secure them.

This is a huge problem because only 31% of employees receive annual cybersecurity training.

Consider the Threat of Internal Sources

To be clear: hackers are a problem. The prevalence of malware, phishing, ransomware, and DDoS attacks has grown year-on-year, and your business could be the next target. What you might not realize, however, is that the biggest threat to your business could already be inside it.

Back in 2016, IBM found that 60% of all attacks aren’t the result of malicious outsiders fighting their way in. Rather, they’re the product of the people who are supposed to be defending your business. Before you look around the room suspiciously, it’s important to know that these “attacks” usually only occur when well-meaning people carry out their daily tasks without knowledge of the organization’s cybersecurity processes and goals.

Working securely needs to be a priority if it hasn’t already been in your company and amongst your employees. Why? Because the most common cybersecurity threats coming from inside the fortress include:

  • Social engineering
  • Mobile device attacks
  • Identity theft
  • Poor password hygiene
  • Cloud attacks
  • Unsecured wireless and LTE networks
  • Downloading malicious content

Fortunately, statistics show that 64% of these kinds of events are related to negligence and 13% are the product of credential theft. Why is that good news? It means you have an opportunity to fix and prevent future issues by aligning your company’s cybersecurity vision and your employees’ knowledge.

Vision alignment isn’t what you might think of when you build a cybersecurity policy, but to have a comprehensive plan, you need every member of your team pulling in the same direction. And it’s not as difficult or expensive as it sounds. For example, you can use the McKinsey 7s model to plan and align your strategy, structure, and systems, you’ll ensure that everyone is on the same page in regards to cybersecurity and take the pressure off your infrastructure.

Create a plan for the IoT

Understanding the need for creating (and protecting) strong passwords, learning to spot and report phishing emails, and avoiding dodgy links were already a problem when every employee used only a desktop computer. With the advent of the IoT, however, those risks have grown exponentially. Even the most mundane and unsecured IoT devices are an easy access point for external threats.

Of course, your comprehensive cybersecurity plan can and must account for all your businesses’ devices, including cell phones, tablets, and any new IoT and Industrial IoT infrastructure. However, you also need to account for the number of their own personal devices that your employees bring to work and connect to your network, such as smartwatches. With the advent of remote working, they don’t even need to be in the building for their mobile devices to risk your security.

What’s more, you need to plan for various levels of device security sophistication. Not every device will include the same developer-focused security that phones and tablets do, particularly as the disposable IoT becomes more prominent.

Your ability to plan for the IoT will make an enormous difference in your cybersecurity. Without it, you can’t claim to be comprehensive and you will place unprecedented stress on the rest of your systems.

Prevention is the Best Medicine

The attacks that grab headlines are almost always the product of malicious hackers who stole thousands or even hundreds of thousands of files. While these attacks are certainly growing in both scale and prevalence, your biggest risk isn’t the attacker knocking on your front door but the employee who goes to answer it.

Creating a comprehensive cybersecurity policy relies heavily on preventing attacks. To do that, you need to acknowledge the extent to which the role of every employee (and their growing number of mobile devices) plays in keeping your company and customers safe.

A comprehensive policy doesn’t just rely on encryption and anti-malware protection. Your policy also includes your employees — from the interns to the C-suite. Without them, even the best-laid security plan is vulnerable.

Share this with others


Featured resources



2024 Futures Report

Get price Free trial