Implementing security policies can be as easy or as hard as you want to make it. Ignoring security or making it a lower priority can have terrible impacts. And those impacts may not always be the result of a direct attack; perhaps you are one of those companies that are collateral damage to a larger breach. How do you know how to respond? How will you know what to do?
A security policy should address some key elements:
- What are the threats to your business.
- What are your vulnerabilities?
- Who is it applicable to? Short answer is everyone.
- What do you want to address? Define the policy and the actions.
- What is the standard and your expectations?
- What do you do when an incident happens? And when do you rehearse?
- How often will you review and update them?
This is the foundation and it certainly can be more extensive. At a minimum, it makes security part of your culture. It makes you and your employees evaluate normal day to day business with a security eye and to put security at the forefront of your day to day business operations. In 2014, over 90% of security incidents were the result of human error according to IBM, and the number will likely be close to the same in 2015. Setting up security policies and following up with training will set your business up being an alert and aware organization. And you will be better prepared.