As more and more people across an entire organisation become targets for cybercrime, the need to create a culture of security embedded into every business is paramount. However, it is more complex than it seems and takes some exemplary management skills. It starts with a solid security policy yet, currently, only half of the respondents in our Risk:Value research had a full information security policy in place, and this percentage fell along with company size.

An effective cybersecurity policy is more than simply a bundle of arbitrary controls. A skilled team will analyse what digital assets need protection and what the impact would be to the company in the event it is compromised.

Those creating the policy must also identify the most common and likely threats to that data. These may vary by the type of organisation, and by its activities. Retailers tend to worry more about organised cyber criminals targeting their customers’ financial data, with POS systems – often unpatched – a primary intrusion gateway for retailers. Meanwhile, financial services and public sector organisations are more likely to be hit by malware attacks, according to the 2015 Global Threat Intelligence Report.

Once executives understand what must be protected, they can then identify other data points that will help them to create an effective policy. They can identify likely intrusion points that attackers could use, and map them against weak points that they uncover in their systems. Intruders frequently use email and web browsers as gateways into their systems, but some companies with a strong prevalence of mobile users and remote workers may also find those to be soft targets.

Managers can customise their security policies to focus on such weak points, but most of them will cover catch-all areas such as data encryption, mobile working, clean desk practices and acceptable usage. They should be signed off by a senior executive to show management support, but that isn’t enough.

Executives must be realistic about their organisations’ ability to execute these policies. All too often, a security policy ends up as a dead document, handed out during employee induction and then squirreled away in a drawer and followed by very few people. This is where effective communication comes in, and it is critical for any policy to be endorsed and followed.

Look out for part 2, which will explore the importance of communicating policies in order to successful create an appetite for cybersecurity risk in the organisation.