How to Hack a Business – Part 2: Policies

Cybersecurity policies

Technology solutions provide vital layers of protection to your organization’s information, but they’re not enough to cover the scope of vulnerability. Policies are also an important part of your overall security posture.

Policies are not an exciting topic. We are a “skip to the end and click Accept” generation. However, policies play an important role in risk management, liability, information governance and defining the areas of vulnerability that need to be constantly monitored and addressed by your business.


  • Security Policies should be reviewed at least annually. Outdated policies do not address the way people currently work.
  • Security Policies should have executive sponsorship.
  • Security Policies need to be applied enterprise-wide. Security is the great equalizer. It is everyone’s responsibility to align to the same standards.
  • Security Policies should clearly state who owns it, who it’s for, and how they are to be informed.
  • Security Policies should align with a standard (NIST, ISO, GLBA, HIPAA, etc.).
  • Security Policies should address internal threats along with external threats.


  • Multifactor Authentication: Passwords are not enough and haven’t been for some time. Adding another factor to authenticate a person’s identity will exponentially increase your security posture.
  • Mobility: According to the FBI, “The more mobile, the more vulnerable.” Everyday our culture is becoming more and more mobile. While this is convenient and expected, it also adds layers of risk that need to be addressed.
  • USB Drives: This is a serious and increasingly used vector of attack. Think about how easily an office visitor could plug a USB into a device, leave it and then begin mining your data.
  • Content-Filtering: Web traffic is inevitable but can be filtered to trap or block sites and web traffic activity.


  • Business Continuity and Disaster Recovery Plans. These need to be defined, in place and rehearsed/reviewed at least annually. Don’t wait for a disaster to make sure you are ready.
  • Incident Response. Assume that at some point things will happen. Plan for this and map out the appropriate steps to take following a breach.
  • Vendor Management. Vendors that have access to your data present as big a risk as internal personnel. Address this with appropriate rights management.

The responsibility of organizations today to address the ever-changing threats and vulnerabilities to their information requires a holistic look at all elements of security. In doing so, don’t forget the importance of properly written, sponsored and communicated security policies.