Approaching cyber security with discipline elevates confidence in your organisation, both externally and internally. Having discipline in your cyber security approach means aligning what you’re supposed to do (compliance) at the level you’re asked to do it (regulations), with a mindset that understands how things could go wrong (risk assessments) and with your unique way of completing it (strategy).
Cyber security policies are another critical step to distilling this discipline across your organisation. Where a cyber security framework and technical controls examine and improve your security from a technology perspective, policies also focus on how your people and processes protect the business.
So what do they do?
“A cyber security policy defines and documents an organisation’s statement of intent, principles and approaches to ensure effective management of cyber security risks in pursuit of its strategic objectives.” Gartner.
Convey trust: Maintains compliance with regulations and standards
Australian leaders (CEOs, directors and boards) are increasingly held accountable by regulatory bodies for meeting cyber security regulations and standards where applicable. For example, organisations that supply their products and services to the Government must demonstrate compliance with the Australian Government Protective Security Policy Framework (PSPF) requirements and the ACSC’s Information Security Manual (ISM).
Government suppliers are just one example; most organisations have OAIC and ASIC obligations. These protect the company’s own information and show a genuine effort to protect and secure the information of others.
Cyber security policies help your organisation maintain compliance with these standards, serving two purposes: your organisation’s data is better protected, and you can demonstrate to a regulatory body that you have done your due diligence in securing sensitive information.
But, cyber security policies are like most policies for your organisation:
- One size usually does not fit all.
- They must be tailored to be effective.
- They need regular reviews and updates to keep pace with changes in the business.
Build discipline and confidence: Clearly define employee roles and responsibilities
The Office of the Australian Information Commissioner (OAIC) received 107 reports of data breaches caused by human error between January and June 2023. The graph below shows the types of mistakes reported.
When your team plays a crucial role in protecting your organisation’s sensitive data, you need cyber security policies that effectively communicate responsibilities and best practices that staff should follow. They establish clear guidelines on the appropriate use and handling of data, ensuring that every team member understands their role in maintaining data security.
These policies promote accountability throughout the organisation but should not focus solely on punishing people in the event of something going wrong.
Policies only build discipline and confidence if they are educative, up-to-date and convey intent rather than restrict specificity. Your users might follow a policy to the letter, but if those policies are out-of-date or not tailored to your organisation, someone following a policy could still do the wrong thing. For example, even if everyone follows a 14-letter, complex password policy, you could still have problems if they choose “P@ssword112233!”
Reduce impact: Accelerate responses in the event of a breach
The global average data breach cost has increased by 15% in the last three years. For Australian organisations, that cost is just over $4.2 million.
Cyber security policies outline the procedures and response to suspicious activity, such as a data breach or an attack. Quick incident response can prevent an incident from snowballing into a larger issue. If your organisation experiences an attack, cyber security policies outline everyone’s role and support a prompt response that prevents the costs of downtime from increasing.
Good cyber security policies also mean that blame does not rest solely on the organisation. As long as people work in an organisation, we will need to account for some percentage of human error. Policies should not just be about punishing people and focusing on consequences. They should be preventative in nature and effective in practice. Policies should convey what should be done, have a good mix of human and technical controls, consider responses to human error and provide education to restore trust in cyber security.
Cyber security policies support the discipline of your organisation by improving compliance with regulations and standards, promoting accountability in your team and quickening your response to threats. Good policies strengthen protections around sensitive data, which prevents leaked intellectual property, employee details and customer information.
Continuously revisiting and enforcing these policies enables your organisation to build trust and maintain resilience. You need to keep pace with how your organisation matures and develops; the policies you used on day one are not the policies you need on day 365. A two-person organisation needs different policies than a company with twenty people.
Here are three or four events that could have happened this year that should trigger a policy review:
- You provided products and services in a new industry
- Your organisation’s information, clients and scope of work increased
- You received or qualified for a new accreditation
- Your organisation experienced shifts in management, such as mergers and acquisitions or partnerships
Mercury can support cyber security policies
We collaborate with you to develop and implement cyber security policies and processes that meet your organisation’s objectives and risk appetite. If you already have policies, we can review and uplift them to meet changes in the threat landscape and industry best practices. Visit our Governance Services page for more information about our capabilities.