For most small and medium-sized businesses - and a surprising number of larger ones - security policies are documents that are written by the IT department, filed somewhere and forgotten.
Day-to-day information security is handled by technical people who are left to fly by the seat of their pants, often without the resources, training or authority to take command of the situation.
As a result, no one is in control, so when a problem arises it is dealt with piecemeal on a technical level without reference to the bigger picture. This is why, in spite of advances in defensive technologies, attacks are on the increase and the bad guys seem to be winning.
This situation exists because the majority of corporate information security policies just don't work. Most policy documents contain a blanket clause such as "no software shall be installed by any user without the authorisation of the IT support department". This sounds very conscientious, but raises a couple of questions.
What is this policy trying to achieve: licensing control; protection against Trojans; or control of private computing? IT support would have to take a different course of action in each case, so without an appropriately defined intent and action plan, this policy statement is non-functional.
How is this single policy supposed to cater for everyone in the company, from accounts clerks who don't need to install software to engineers who do?
If everyone was to follow the policy rigorously, would IT support have the resources to handle all the requests?
Finally, has anyone trained the end-users so that they realise a screen saver is software and has anyone noted that some dangerous Trojans masquerade as screen savers?
What happens as a result of this vagueness is that no-one follows the security policy as a rule, but it may be wheeled out occasionally to bludgeon some unfortunate person whose software installation caused an identified problem.
Good policies should protect against threats, not just specify punishments to be inflicted after disaster has struck. They are an expression of rules and restrictions that maximise the security of corporate information while minimising the impact on the business. They must be tested and proved to be functional in the business context.
And, given the rate at which the hazards are evolving, good policies soon go out-of-date. Obsolete or unworkable policies can be more dangerous than none at all, as they can engender a false sense of security and policies that do not mesh with your business needs can be a constant brake on performance.
To build good policies start by asking what you are trying to achieve. Identify the problem you need to solve and involve business decision-makers, IT support staff and even HR, rather than leaving policy definition to one or other group alone.
Take professional advice where appropriate, but never hand over your policy definition to outsiders and never use off-the-shelf policies, however big the cost savings.
It is as well to include a regular formal update mechanism in your policies and amend them immediately in the light of any incident and whenever a major new threat is announced. That means you must investigate all incidents, however trivial, and you must keep up-to-date with new threats. Both should feature in your policies. HR and management need to ensure that appropriately qualified staff are given the time and resources to fulfil them.
Consulting your IT users is important for security - explain what your policies mean and why you have implemented them. Listen to their responses and adjust your policies if necessary. Train users in security basics, so that they understand why restrictions are necessary. It is important that you allow no exceptions - make a policy for every explicit case. You should consider simplifying your policies by eliminating unnecessary hazards.
Imposing minimum privilege can do wonders for security - instead of giving everyone full Internet access at their desktops, consider opening a cybercafe in the canteen, isolated from the corporate network. You might give everyone a private e-mail address as well as their corporate one, with explicit, monitored, rules on usage.
Above all, update and test your policies regularly.
Mike Barwise is an independent consultant specialising in information security management