Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Is Your “Acceptable Use Policy” Acceptable to Employees?

December 21, 2022

CSO Online published a very good post on December 14. I loved the first line: “If users resent, fear or ignore policies around the use of corporate resources, it may be time for a different approach that incentivizes rather than punished.”

Those are words of wisdom infrequently followed.

Acceptable use policies (AUPs) are more complicated now that work can take place almost anywhere, on any number of devices. An employee may be entirely remote and working on a personal laptop rather than a company-owned device.

From an IT perspective, an AUP outlines the acceptable use of corporate data, devices, and networks. In a hybrid workplace, that policy should also include terms and conditions for working on personal devices or home networks. And it should include guests, gig workers, contractors, and other non-employees who use company systems and networks.

Some policies are obvious – no, you can’t watch porn on a company device. Others are not so obvious. Whatever your polices, make sure your employees sign the policies (which should include the consequences of breaking them).

“People know that cybersecurity is important,” says Alex Michaels, principal adviser at Gartner. “They just aren’t doing what we want them to do.” That’s because they may not view cybersecurity as their personal responsibility. However, a significant number of data breaches are caused by human error, often by clicking on a phishing email. The problem is that many AUPs are written in technical jargon – or they are a template that someone found on the internet.

There are much more progressive—and effective—approaches to establishing and enforcing policies.

“A lot of people in the security space grew up in the security space,” Michaels says. “But what about involving experts who have knowledge in behavioral economics and change management? Those types of things should be part of the conversation as you write your policies and as you look to shift and reframe the perception of security.”

An AUP usually sets rules governing IT security policies, such as passwords, authentication procedures, and the use of public Wi-Fi. It can also be used to set standards of behavior on social media sites.

“I think everybody needs to reassess this right now,” says Frank Sargent, senior director of security workshops with Info-Tech Research Group. For years, an acceptable use policy was easier to enforce with technical controls, such as firewalls. Today, many employees are working remotely and that can have security, compliance, and tax ramifications. Companies need to “catch up with the new realities of how people are working,” says Sargent. “You can pull an Elon Musk and say ‘thou shalt be back in the office’ to manage that. But that’s going to be a short-term fix.”

“You’re going to have to continue to learn as an organization what these risks are to you, and keep adjusting your policies, keep adjusting your controls, keep adjusting how you’re assessing risk, so it gets to where you need it to be,” Sargent says.

Your AUP needs to be auditable and enforceable—but there’s a tricky balance between protecting employees and making them feel like they’re working for a dictator. “It should be written to the end user rather than the technical person who works in security,” says Michaels. “One of the pitfalls that we see in the development of policies is the security leader will either own the creation of the policy or delegate it to somebody on their team, and they won’t go out and source feedback and check that they’re on the right track.”

The AUP should be clear, concise, and easy to understand. No legalese or technobabble. But getting employee buy-in could also come down to something as simple as word choice. “My specialty is respectful language and policy,” says policy drafting expert Lewis Eisen. “Respectful language means policies that don’t sound like parents yelling at their children.” For example, rather than using the phrase “You must get the CEO’s permission before borrowing a laptop,” you could say “Laptops are available for borrowing with the permission of the CEO.”

“If you sound like a parent yelling at your kids, you’re going to get the same results parents get when they yell at their kids,” Eisen says.

I think Eisen’s advice about respectful language is spot on – and rarely heeded.

Enforcing acceptable use policies often falls to security employees who are not well suited to the task. The security team has the subject matter expertise to determine what constitutes an infraction and the risk level of that infraction (from minor to major offense).  Eisen says that disciplinary action should come from HR, which already has processes in place for such matters. HR personnel should have both security and privacy awareness training.

If you are too small to have an HR department, figure out a logical candidate for AUP enforcement and make sure they have security training.

Make rules easy for users to follow and institute Gartner’s PIPE (practices, influences, platforms, and expertise) framework. Shift from awareness to behavior and culture. Part of that involves using “cyber judgment,” a term coined by Gartner, which helps users make informed decisions about risk in the absence of security or risk management leaders.

Make it easy to follow rules. Don’t make employees change passwords monthly. Most employers now have passwords changed every 90 or 120 days. Some are dropping passwords altogether. Going passwordless is now a trend, with other forms of authentication taking its place.

If “passwordless” is still a mystery to you, check out https://www.microsoft.com/en-us/security/business/solutions/passwordless-authentication.

Finally, give your employees cybersecurity awareness training – teach them about the specific dangers of violating rules or making common mistakes – and build a culture of cybersecurity. You’ll never regret creating a culture that protects your data!

***********************

Ride the Lightning will return in January. Until then, I wish everyone joyous holidays and a very Happy New Year.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson