ThreatSwitch works with some of the most successful and influential industrial security professionals. Our Partner Perspective series sets out to share their top lessons and insights that you can take away to improve your own program.

For this installment, CEO and Co-Founder of It’s Just Results, Gustav Plato, identifies the top 10 reasons why employees are not applying policies and what you can do to create positive change.

Not following Policies is Common

A 2018 Kaspersky Labs study found that only 12% of employees know of an organization’s security policies and rules. This same survey said 24% of employees believe that the organization they work for does not have security policies.

Many companies have employees who are not aware of the company’s expectations of their behavior. The only way for staff to know their responsibility and their role in meeting security requirements is for these requirements to be documented, communicated, and shared. A written document establishes explicit activities and guidelines for employees to follow but without staff participation, a company’s security posture will be deficient.

10 Reasons Why Employees are Not Applying Policies

In response to policy challenges, we've worked with business leadership and staff to identify the top reasons why employees are not engaging with security policies:

• Externally developed policies (i.e. not by internal staff/employees)
• Confusing and complex language
• Management not involved, roles not defined
• Dry and boring language
• Not relevant to business work environment
• Outdated (have been on the shelf for several years)
• Staff does not understand need for policies
• No time provided to read policies/text is not relevant
• Leadership does not enforce standards/no consequences for not following policies
• Insufficient resources to execute policies

Designing Policies that Engage Employees

Getting all of your employees engaged with your policies might seem like an impossible task, but don't give up quite yet! To improve policy development speed, implementation, use, and buy-in, incorporate these critical variables:

• Compliance Mapping: Map Policy documents to over 100 controls required by DFARS
  252.204-7012, including NIST SP 800-171 requirements
• Background, Purpose and Scope: Establish context, set clear goals and expectations of the
  policy, and describe what the policy encompasses.
• Key Procedures: Write easy to understand procedures that describe activities. Note: This is not a detailed step-by-step implementation instruction.
• Schedule: Establish an overall timeline and include; all security activities, individuals assigned to the activities, and activity frequency. This is a living document.
• Shared Accountability: Require each staff member and consultant to read the policies. Each person must attest to reading and understanding the policy. Distribution is annual and updates should be distributed when policy changes are implemented.
• Violations: Violations of information security policies have consequences. Consequences may be at the business or employee level. Employees must understand that not following policies will also have personal consequences.
• Ownership: Identify a Policy Owner to answer questions about the policy.

In addition to the basic policy requirements listed above, we recommend including the Center for Internet Securities (CIS) 20 controls. The controls are updated every few years and can be found for free download at https://www.cisecurity.org/controls/. It is generally accepted that these controls address 85% of the cyber threats companies face.

Do your policies include these security controls? If not, you have a likely security gap and will need to make decisions and codify them in your new or revised policies.

It’s Just Results partners with business leaders to deliver no nonsense results for their corporate security, compliance, risk mitigation, threat analysis, and actionable security policies