When we get into cybersecurity, one of the first things any organisation or company should do is write a cybersecurity policy, one that is owned by all. Easy words to put down on paper, but what do they mean?
So, what is a cybersecurity policy? Well, it is defined in the Gartner IT Glossary as, “an organization’s statement of intent, principles and approaches to ensure effective management of cybersecurity risks in pursuit of its strategic objectives.”
CyberSmart, who deliver training for the UK’s Cyber Essentials programme add to the definition by saying, “These principles can inform the decisions senior management make or guide employees in their day-to-day activities. Any policy worth its salt should outline what employees should or shouldn’t do, offer directions on best practices, and guidance for decision makers.”
The key thing about any cybersecurity policy is not the rules the policy sets out but the framework for the culture within the organisation. The World Economic Forum, Global Risks Report 2022, indicates that, 95% of cybersecurity threats that people have faced have in some way been caused by human error. That is a factor that many people…
