How to develop a cybersecurity policy people will actually follow: 7 steps February 6, 2019

Scott Birmingham

Every organization needs a cybersecurity policy. It’s the only way people know what’s expected of them, whether we’re talking the COO, the receptionist, a vendor or a volunteer. Unfortunately, until you’re a target (which, according to Ipsos, was 18% of small and medium-sized businesses in Canada of 2016), most people associated with your organization will ignore the risk (and the policy). Here are seven steps you can follow to develop a cybersecurity policy that people will actually follow.

  • 1. Develop it as a group

    You’ll get greater buy-in for a policy that was created with the involvement of more than one person. Senior leadership should definitely champion the project, since without high-level support you’ll lack the resources and authority to do much more than draft the document. Involve your board members, if you have them. Middle management and supervisors can help with policy roll-out, training and ongoing reminders to employees, volunteers and vendors.

  • 2. Make it easy to read

    If you want non-technical people to refer to your cybersecurity policy (and to understand it when they do), you need to keep the document as short and simple as possible. Consider enlisting the help of a writer and designer to make the document clear and engaging and to highlight key messages relating to specific groups.

  • 3. Make it accessible

    If the policy is in Brad (or Anil or Li’s) desk drawer or in an obscure folder on your organization’s server, no one will be able to find it. Name it clearly and put it somewhere obvious. (If you don’t have an obvious place for company policies, make one.) Even better, put it in a number of obvious places so people will run across the policy (or its offshoots—see step 6) often.

  • 4. Revise it regularly

    Technology and the forces that threaten the security of information are always changing, and your people will be less inclined to follow a policy they know is stale. Convene your stakeholders on an annual basis to review your policy and make any changes. You can also conduct a cybersecurity audit as part of this review process, to identify areas where your policy or your people (including suppliers) may need some help.

  • 5. Train people on it

    Training will make your policy real and relevant to your people. They need opportunities to try approaches out using their devices, ask questions and explore the grey areas. Training on your cybersecurity policy should be mandatory for all employees, volunteers and, ideally, vendors. It should also be part of your new employee orientation. Maintain attention and encourage retention by making the training interesting. Finally, keep the topic top-of-mind with regular refreshers that point out how threats—and your organization’s responses to them—are evolving.

  • 6. Remind people about it

    A survey by Clutch showed that 46% of front-line employees who participated didn’t know if their company had a cybersecurity policy. “Out of sight, out of mind” is a bad mantra when it comes to your policy. It will be easier (and more enjoyable) to remind people about it by breaking it down into bite-sized, practical topics for groups who share common job functions. “How-to,” “quick tip,” “did you know” “quiz of the month” “what if” and “do this not that” content can be helpful reminders. Use video, posters, emails, newsletter articles and in-person meetings to keep the delivery of messages interesting.

  • 7. Reward people who follow it

    While you’ll need to address sanctions and other consequences for not following your cybersecurity policy within the document, everyone prefers the carrot to the stick. Publicly recognize people who follow the policy to create an incentive to follow the rules. It will also remind your people that the policy exists and you’re watching who follows it.

    Whether you’re starting your cybersecurity policy from scratch or reviewing an existing policy to make it more effective, it’s important to remember that you can’t “set it and forget it.” Revise, remind and reward on an ongoing basis to encourage your people to follow your policy every day.