Security policy do and dont’s

When it comes to end user security policies, there are several paths to take. One that I do not particularly like is the kind of policy that simply states that the user has to know every policy and knowing how to act in every way, and if you make a mistake, we are gonna punish you for it. To me, that is not a good written policy, it is a document that was published to make sure senior management can say they are not responsible if anything goes wrong. This is wrong from two perspectives. It does not do the user any good, and if something bad does happen that damages the company, senior management are still responsible.

As an example, having a policy that clearly states that you as a user are not allowed to click on a malicious link, it defies every bit of logic. How is the user suppose to know beforehand that particular link is malicious? After the fact they may realise it, but beforehand? Not a chance. First, what is a malicious link? The link in itself could point anywhere, even to a legitimate website that may have been compromised earlier. The URL string or name is not a good hint for finding a malicious link. So, how is the user suppose to follow the policy? The user is not able to which effectively means that the policy statement is pretty much useless.

Every user can be tricked into clicking a malicious link. Most of us receive a lot of emails which includes links to material online. Do you really check every link you click to read that PDF report or whatever it may be? Probably not, you are probably putting your trust into your company spam filter and anti-virus software that is suppose to keep those malicious emails away from you. You probably trust those technologies a lot more than you realise. Ever since we got short links in our emails, such as, it became even harder to manually inspect links in emails and other forms of content. URL rewrites and redirects are common, so it is virtually impossible to predict where you are going to end up once you click on a link in an email, unless it is an internal email. But even internal resources could be compromised, so just because the URL points to an internal resource, it is not an automatic all clear.

To me, a good end user security policy reminds users of certain rules that need to be adhered to and how they can act to try to remain as safe as possible. There are always gonna be certain rules an employee need to follow, but it must be possible and also simple to do it, otherwise the policy will not be effective.

As an example, sharing internal documents with people outside of your company or organisation is usually not permitted. But in order for a user to follow that rule, there are number of things that need to be in place. First and foremost, a document must be clearly labeled in a way that the user understands. Second, there must be a simple process with a corresponding IT support system to allow user to tag or label documents. Also, there must be a very clear and simple statement on how to tag or label a document to a particular security level. In any of these are missing or unclearly defined, the policy again will fail. If a user cant follow the steps without to much effort, they will not. It is human nature, we are lazy creatures. It is one of the most common mistakes I have personally witnessed throughout my career, having a policy that is virtually impossible to adhere to because the supporting processes and tools are not available.

One of the most important things about any security policy is that it must contain contact information in case users need clarification of the policy content. Interpretation of a policy can result in a very different outcome depending on user perspective, so if possible, keep the language as simple as possible. Avoid to much technical terms as it may confuse users into doing things the wrong way. Also, policy violation can of course not be tolerated, but the threat of punishment is a not good way to getting users compliant. Reward feedback on your security policy allows you as a security officer to enhance it and making sure that end users tend to accept the policy not because they must, but because it aligns with their sense of what security measures are adequate. Trying for force cooperation almost never ends well, and in the end, you want users to adhere to the policy guidelines, not trying to circumvent it because they feel it is getting in the way of how they want to work or accomplish things in their day to day activities.

In order to achieve that goal, you have to have a dialogue with your users, and understand the business model of your company or organisation. If your policy goes against the business model or business needs, it will not be accepted and then it will not benefit anyone. This is perhaps one of the toughest challenges for many security officers, aligning security requirements with the company business model and needs. Thats why it is very important to have senior management onboard when it comes to security strategies so that they align with the business model. Being a CSO without direct access to senior management can be quite a pain when trying to gain acceptance for security policies.

As for advising your users on good security practices, again, it must be easy for them to do so. It should be the obvious way of behaving. Good security practices that are widely accepted by users tend to be transparent. The security is there, but users do not really see it as a security measure. Again, the software used by your company can make or break you as a security officer when it comes to acceptance. Most companies do not condone the use of Dropbox and similar services and often informs users that it is not allowed. What most companies tend to miss is the obvious question why users are turning to Dropbox instead of using your internal document management process and IT system. User friendliness is a key component in gaining acceptance from users, and in order to get good security you have to get acceptance from your users. Do not punish them for turning to a user friendly alternative if the internal tool is difficult or cumbersome to use. Rather try to influence IT in the right direction so your job as a security officer becomes easier. If you have to constantly remind users that they are violating the security policy, there is obviously something wrong with it.

In my opinion, most users want to do the right thing and stay secure, you as the security officer just have to make sure that they can do so in a way that is acceptable to them. So, good luck in writing your security policy. Your users will, if you let them, let you know if they feel you succeeded or not.