Acceptable Use Policies to Reduce Risk

A few weeks ago, Deloitte Touche Tohmatsu (DTT) released the results of its Annual Global Security Survey for 2008. The survey focuses on the information security needs, practices and priorities of the financial industry, which is among the most regulated of all vertical markets. Not surprisingly, the top priority for the security officers interviewed was “security regulatory compliance.” What is a bit surprising was that security compliance took the top spot for the first time, followed by “regulating access control”, which was the number one priority in 2007.

The report provides a number of interesting details, many of them pointing to continued problem of the “human factor” in security. According to the survey, the number one root cause of all security incidents experienced at these organizations was “human error.” (This is not a surprise, as nearly all data breach and incident studies come to a similar conclusion.) What IS surprising is that despite the concern about human error, the category for “security awareness and education” was 7th on the overall list of 15 priorities. While this tremendous gap between cause and prevention is indicated in this report, it is echoed throughout the industry. Everyone “gets it” that security is fundamentally a people problem, and yet when you look at spending and organizational priorities, education and awareness is near the middle or bottom of the list.

When new technology is introduced into the mix, the potential knowledge gap widens as technology makes into production before the much-needed awareness and policy guidance. In fact, the report revealed a fairly large gap between the deployment of new technology and the issuing of specific policies and guidance on the safe use of the technology.

One prime example is mobile security. According to the survey, very few organizations (less that 10%) actually prohibit the use of mobile storage (USB drives, Media Players, etc.) because of fears that this will limit productivity. In other words, 90% of organizations are using mobile storage in the enterprise. Yet only 40% of these same organizations publish policies and procedures on acceptable use of mobile storage. The statistics are similar for mobile computing technology (handheld computers, PDA, etc.). Only 27% limit these devices, and yet only 42% claim to have issued acceptable use policies.

Given the facts that human error is the root cause of most security incidents, the “knowledge gap” created when organizations permit technology without written acceptable use policies represents a significant risk. Written security policies are the official “contract” between management and employees on the appropriate use and misuse of new technology. And while polices do not replace awareness and training, they significantly enhance these efforts by forcing management to think through the various risks and trade-offs of adopting new technology.

If your organization is searching for cost-effective ways to keep policies updated based on the latest technologies, we encourage you to evaluate our PolicyShield Security Policy Subscription. We believe written policies are key for enabling safe, yet productive use of new technology.