Computer systems continue to evolve and become more complex. This makes it hard for the business to understand the technology that supports it. Yet a security breach can have a significant impact on the bottom line. The following are three examples of why organizations need good security policies:

The national retailer Target Corporation, with more than 1800 stores in the United States, suffered a major data breach during the 2013 holiday shopping season. This breach put at risk the financial information of an estimated 40 million customers. The costs incurred to companies involved in this fiasco reached upwards of US$200 million.

In September 2018 it was discovered that British Airways had been breached, and the attacker injected malicious code into an insecure website, capturing customers’ personal and payment data. The breach was believed to have impacted about 500,000 customers. In addition to the direct damage, British Airways faced fines based on the General Data Protection Regulation (GDPR) of US$230 million. GDPR is explored in Chapter 3.

In 2019, Capitol One experienced a large data breach in which an attacker gained access to more than 100 million accounts and credit card applications. In addition to the direct damage from this attack, it also caused substantial harm to the company’s reputation. As of this writing, this breach is still being investigated, and full remediation steps have not yet been made public.

One could argue that these cases resulted from a security policy failure. Each of these breaches is attributable, at least in part, to a failure either to have an appropriate policy or to enforce it. In 2019, Egress conducted a survey of data breaches.¹ Seventy percent of respondents believed that employees put the company data accidentally at risk in the last 12 months. In 2018, the Ponemon Institute conducted a survey of cybersecurity in small and medium-sized businesses. In this survey, respondents indicated that the risk of negligence leading to a data breach was getting worse. Sixty-one percent stated that negligent employees put the company at risk for ransomware, an increase from 2017 when 58 percent of respondents identified employee negligence as a proximate cause of ransomware attacks.² Although the exact percentage may vary each year, the point is that having good policies isn’t enough. Businesses must be self-aware and measure whether those policies are being followed. Businesses cannot afford data breaches resulting from employees’ failure to follow good policies.

Organizations are increasingly concerned with how information risks are managed and reduced. Security policies are not considered solely a technology issue anymore. Organizations also expect security policies to reflect how they want information handled. An organization’s security policies, taken collectively, show its commitment to protect information. Good security policies keep the business healthy. Some of the basic concerns with implementing such a policy include:

• Cost—Cost of implementing and maintaining controls
• Impact—Impact on the ability of the business to serve the customer
• Regulation—The organization’s capability to defend its policies and practices before regulators, should the need arise
• Adoption—The degree to which employees understand and are willing to follow policies—“to make them their own,” in other words

Policies are effective only if they are enforced. Managers dislike surprises. Finding out later that security policies are too costly or that they negatively impact customers is not acceptable. To avoid this, management needs to take part in creating and implementing security policies. Even in the best of situations data can be stolen. By having good security policies, the organization is better positioned to defend its actions to the public and in the courts. For example, an email security policy that warns employees that their messages may be monitored can help defend against a lawsuit for violation of privacy.