Security Policies: Going Back to Basics

John Davies

John Davies

With the ever-increasing integration between physical and logical security systems, there has never been a greater importance placed upon defining and maintaining the security culture within an organisation, writes John Davies.

Given that increasingly complex security protocols are now required on a daily basis by even the lowliest of employees in the hierarchy, it’s easy for the security regime to become lax through apathy and for potential intruders to take advantage. The technology may be evolving, but so too must the team it protects.

What’s the first step, then, in not only creating, but also maintaining an effective security culture within a business or organisation?

While the details may vary between organisations, the common goal for all is to impress upon the team just how important security is to their jobs, fellow workers and clients and even, in some cases, their own personal safety.

Inclusive security culture

In many organisations, the process of building an inclusive security culture will entail a top-down approach. After all, if the company leaders don’t practice what they preach, then why should the rest of the team?

Human nature tends to shy away from complicated processes, and particularly so if the benefits are not fully realised or otherwise explained.

Clarity and honesty around the potential pitfalls and consequences of failing to secure the business can be a powerful tool in demonstrating the importance of security to the team. Legislation and legal ramifications, along with potential damage to the business in terms of reputation, are all powerful messages to be imparted.

Equally, for an organisation in the healthcare or education sectors, the protection of vulnerable people is also an important security consideration. An apparently trivial lapse of security protocols can have massive and highly damaging real world consequences.

Disseminating the message

The ways to build up a good security culture are as individual as the organisation it serves, but undoubtedly training and reminders are cornerstones. An important time to impart this to employees is when they join the organisation, but it’s equally vital to ensure the rest of the staff have a refresh on a regular basis. This could be in the form of regular e-mails or internal messages in whatever form the staff prefer to receive them. Regular refresh seminars or presentations can work particularly well for business divisions that regularly meet in any case.

Another approach is to train key team members as ‘evangelists’ who can then encourage their colleagues to follow Best Practice on a continual basis. The benefit here is that the team doesn’t just embrace the security regime when reminders are launched. Rather, they’re encouraged to do so all the time. This makes potential failings less likely.

The logistics of all of this are totally up to the organisation and the way in which it works, but it’s important to stress that security is of concern for everyone in the business and needs to be approached in full unity.

Practical steps for security

A lot of the practical steps are actually relatively simple to implement. Here are some seemingly obvious things to consider, but which are often overlooked:

*Strong passwords

At some point or another we’ve all chosen a password which is either short or fairly obvious (the company name or department perhaps?!). Anyone who’s trying to access secure systems or areas will undoubtedly have the thought in mind to try all the obvious passwords first. Worse still, it’s very easy to keep using the system default password.

Choose a password which cannot be easily guessed and, if possible, add numbers or other characters to make it even tougher to crack.

*Change passwords regularly

Using the same password for months, if not years, makes it much more likely to be stolen. Worryingly, you may not even have a warning if the intruder doesn’t use it immediately.

Set a company-wide policy that passwords have to be changed on a regular basis and stick to it.

*Nominate a highly secure password admin individual

Inevitably, people will forget their passwords from time to time so it’s sensible to nominate a highly trusted person or team to be able to access or renew these when needed.

*Don’t write down passwords then leave them in full view

Again this is easily done, but having all your passwords on a Post-It note on your desk isn’t at all secure! If passwords must be written down, make sure they’re hidden and locked away from prying eyes (or even leave yourself a coded reminder or question so the note is only useful to you).

*Maintain anti-virus and software updates

*These are tasks that can easily be overlooked, but it’s important to ensure software protection is as tight as the physical security around your assets.

Other factors to consider

The Bring Your Own Device (BYOD) trend, which has become so evident in the last few years, is another potential security worry. As a ‘back door’ for intruders, allowing staff to use their own devices, with unknown security and network access capabilities, is a potential headache.

It’s important that strict security policies also cover BYOD components. If this isn’t possible, it may be prudent to limit staff access to your data and facilities.

Even with mobile equipment belonging to your organisation, the use of other Wi-Fi and open access networks can be an unknown quantity and potentially lead to insecure points in your security network. It may be the case that only encoded data should be passed across these networks.

Again, limiting their use (or the data that can be shared across them) is a prudent measure within the security policy.

Covering all the bases

It may seem ironic, but the more complex security systems become, the more important it is to cover the basics. There’s no point having the most up-to-date systems in place only to let the whole ensemble down with an incomplete or lacking security policy in place.

When access control consisted of just a simple lock and key it would have made no sense to lock the door and then hang the key on the outside wall right next to it! In essence, this is what a poor security policy (or failure to follow it properly) boils down to. Intruders will always look for that dent in the armour, so why make it easy for them?

John Davies is Managing Director of TDSi

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts