This is a article that I originally wrote for my job. I am reposting it here with a few changes.

Technology Can’t do Everything

You walk into the office Monday morning, attempt to login to your desktop and realize that you can’t login because you’ve been hacked or there is a ransomware note ominously dominating your screen. The first thing you may think of is to look at logs and other use the other tools of the trade to figure out how this happened.

You find out later that this breach was caused by a phishing attack on an unsuspecting employee, this innocuous failure of operational security (OpSec) by one of your employees resulted in tremendous losses in man-hours, money, and reputation.

Often when we think of cybersecurity, the first thing that usually comes to mind are firewalls, endpoint protection, Security Information and Event Management (SIEM) solutions, and the like. While these products and solutions are a vital part of cybersecurity, they can only marginally influence human behavior. This is where policies are effective; they can bridge the divide between technology and employee behavior, complementing technology by outlining expectations and defining consequences for noncompliance.

What’s the purpose?

To better understand the role of IT security policies as a part of a cybersecurity strategy, we need to understand why we have them in the first place and what we are trying to accomplish. Put simply, we want to keep our organization’s information safe. We accomplish this by ensuring three things:

• Confidentiality -information must not be made available or disclosed to unauthorized individuals, entities, or processes.
• Integrity -data must not be altered or destroyed in an unauthorized manner, and accuracy and consistency must be preserved regardless of changes.
• Availability -information must be accessible and usable on demand by authorized entities.

To that end we often must build a strategy that incorporates technological and policy solutions which balance information security with the needs of the organization.

The Human Side of Tech

Now that we have briefly gone over the purpose of IT security policies, we must look at how they should be implemented. Effective policies are policies that not only protect data and help the organization avoid liability, but also take into consideration the culture of the organization and its employees. For example, an organization with a large remote workforce should have Multi Factor Authentication (MFA) to login to applications, whereas a small organization with all employees working in one office could consider MFA optional.

Additionally, effective policy always reflects the following ideals:

• Clear – vague policies leave confuse IT system users and leave room for bad actors to claim a plausible misunderstanding of the rules.
• Consequential – policies without an enforcement mechanism with clear consequences for violations are not likely to be followed in large organizations.
• Current – policies should be reviewed and modified periodically to reflect the technology and security posture of the organization as it is today.

Bottom Line

Until killer robots and rouge AI become our overlords, humans are going to be the center and the weakest link of any cybersecurity strategy. And while the technology used will always be a huge part of cybersecurity, implementing effective IT security policies must not be overlooked.