The power of policy in information security

How governance, risk management and compliance (GRC) can help mitigate human error.

From misconfigured systems to falling victim to social engineering attacks, human error continues to be a leading factor in cyber security incidents, according to Verizon’s annual Data Breach Investigations Report[1]. In fact, 74% of breaches last year involved the human element. It’s clear that human error — whether inadvertent or malicious — can have serious consequences.

Human behaviour can be your greatest weakness (or strength) when it comes to securing your data. And while technology does play a key role in this, it can be easy to overlook that an organisation’s underlying policies and culture form the bedrock of an effective information security strategy — with technology augmenting, not replacing it.

With that in mind, it’s vital to go back to basics and develop a company culture of cyber awareness and collective responsibility. One essential component of this is GRC, a set of practices and processes that can help companies manage risk, meet compliance requirements and improve decision-making. All of this can help minimise the impact of an incident when one inevitably occurs.

GRC defined

GRC encompasses three key components:

• Governance refers to establishing frameworks, processes and policies and ensuring they’re aligned with an organisation’s business goals
• Risk management is the process of identifying, assessing and prioritising risks — and taking steps to address them
• Compliance is adhering to any relevant laws, regulations and industry standards, as well as undertaking internal audits to confirm processes are being followed

By having strong GRC practices in place, an organisation can minimise the risk of legal or regulatory issues, protect its reputation and ensure it can operate effectively and efficiently. And one of the key benefits of having clearly established policies and processes in place is that it can help significantly reduce human error because it explicitly defines what people should be doing. Combined with ongoing security awareness training, this can empower employees to be part of a wider defence in terms of information security.

Four steps to best practice

To capitalise on the benefits of GRC practices, organisations should consider the following:

Align with a proven information security framework

Performing routine independent audits against an established information security standard or framework is an essential step for verifying your security strategy and can give a strong indication of your organisation’s current maturity, as well as identify any gaps that can then be addressed.

Provide ongoing security awareness training

One of the most effective ways to mitigate human error is through comprehensive, ongoing and quantifiable security awareness training. By raising awareness and providing practical guidance on identifying and responding to these threats, employees can become the first line of defence.

Implement access controls

Organisations should carefully manage user access to systems, networks and sensitive data based on zero-trust principles, which includes giving employees only the minimum level of access required to perform their job functions. These controls should be subject to regular business reviews to ensure they stay in line with changing business requirements.

Plan (and practise) incident response

Despite all preventative measures, data loss incidents can still occur, so having a well-defined and rehearsed incident response plan is critical to minimise the impact of any potential damage. This plan should outline the steps to be taken in the event of a breach, including defining roles and responsibilities and simulating attacks at least annually, with the learning points fed back into GRC practices each time.

An ever-changing threat landscape

Earlier this month, a supply chain cyber attack affecting several high-profile companies hit the headlines, with the fallout still ongoing at the time of writing. This mass hack breached a file transfer app called MOVEit, which is used by thousands of businesses around the world[2]. The group behind this breach, known as Clop, previously announced that it was moving away from ransomware toward data-theft extortion[3].

With this new emerging attack model, having stringent GRC practices in place is more important than ever. Because now, if a threat actor can successfully phish just one relevant person, they can simply steal their data without the additional dwell time required for ransomware attacks, making it more challenging to discover.

The shift to proactive

Although GRC practices alone can’t eliminate human error, by their very nature they provide a strong foundation for reducing the risks associated with it. When people (an empowered and educated workforce) are combined with the correct processes (GRC practices) and the relevant technology, organisations can proactively address potential risks and respond swiftly to mitigate them. To discuss your information security strategy, call our specialist team today on 03330 11 22 55.

[1] 2023 Data Breach Investigations Report | Verizon

[2] MOVEit vulnerability and Zellis incident – NCSC.GOV.UK

[3] Clop ransomware claims responsibility for MOVEit extortion attacks (bleepingcomputer.com)