There are three main planks to any secure system: technology, policy, and education. If any one of these is lacking, maintaining data security over the long term is next to impossible. A technological solution is worthless if no one knows how to use it and why it should be used. Even if they do know how to use it, without an enforced policy, it’s entirely likely that employees will take the path of least resistance and greatest convenience.
We see this all the time with passwords. Password systems are a technological solution to the problem of user authentication. Trained users know they should choose sufficiently long and random passwords, but they often don’t because it’s inconvenient. Implementing, monitoring, and enforcing a strict password policy increases the chances that employees will use passwords effectively (although two-factor authentication is a better option).
The aim of a data security policy is to clearly express the obligations that employees have with regard to security, to provide a tool for holding employees accountable for their behavior around sensitive data, and to give the policy’s framers an opportunity to carefully think through various aspects of the company’s security risks.
Accountability is crucial. If there’s no accountability, there’s no real motivation for employees to adhere to security best practices. If a company has trained its employees about the dangers of phishing emails, and those employees continue to ignore the risk without repercussions, there will be no real security benefit.
A data security policy outlines and makes explicit the security expectations a company has of its employees. The specifics that should be included in a data protection polity differ for individual companies, but there are some areas that should be part of every policy.
We’ve already mentioned passwords. To pick a prominent example at random, DropBox suffered a massive security breach because an employee password was stolen. Curious minds wonder how a password was left in a position to be stolen. A clearly laid out policy for secure password handling alongside a program of user education can help prevent incidents of this sort.
A data security policy should be comprehensive, covering any instances in which an employee interacts with sensitive data. It should include the obvious: don’t download the user database to a USB drive and take it home. But also the not-so-obvious: sensitive data should not be shared between business units without permission from senior management.
Needless to say, encryption and patch management should have a prominent place in any decent data security policy.
It’s difficult and expensive to build absolutely secure software systems, even when the underlying server infrastructure is secure, but it is possible to massively reduce the risk. Like it or not, employees are probably the number one security risk for any business. A comprehensive data security policy, by making explicit employee’s obligations and the company’s expectations, can help limit internal risks and give the people who are ultimately responsible for keeping data safe a framework for guidance and a tool for enforcement.