If you don’t think you need a good AUP…
A report released earlier this month by Atlas VPN did a deep dive on an Office of Management and Budget 2019 annual assessment of NASA cybersecurity. (The OMB assessment is an interesting read and can be found here: https://www.whitehouse.gov/wp-content/uploads/2020/05/2019-FISMARMAs.pdf)
It linked NASA’s 366% percent increase in Cybersecurity Incidents from 2018 to 2019 to a decrease in budget dedicated to Cybersecurity. Most security practitioners are familiar with the sense of dread that accompanies budget reductions in Cybersecurity line items. There is certainly a correlation between a reduction in (or lack of!) Security and IT resourcing and an increase in security incidents, so this is hardly a surprising finding by the OMB. Digging a little deeper into the data, though, reveals that incidents caused by “Improper usage” rose over 600% from the previous year. This, as we say in the business, is a whopper.
For the purposes of the report “Improper Usage” entailed any violation of the Acceptable Use Policy (AUP) . This included incidents like downloading non-approved software (Like file sharing apps!) and not securing personally assigned equipment. The downloading of non-approved software problem isn’t surprising either. It is always nipping at the heels of the IT and security groups at any technical or manufacturing company. Engineers, and software developers often legitimately need permissions to run custom code or perform testing on legacy or unrecognized hardware. There are several technical solutions that allow real time supervised approval of temporary admin functions. If your Chief of Engineer has lamented to you that restricting local admin will prevent the developers doing their job, look into one of these. (Or call us, we can help!)
But let’s talk about that AUP. One might very well reason that simply reducing the coverage of the acceptable use policy will result in less security incidents involving “Improper Usage”. Security folk know, though, that you have to look at risks with an objective and open mind. Changing the reporting rules might reduce the number of incident reports, but it doesn’t stop (and in fact can encourage) the underlying behavior. That doesn’t mean we can’t be smart and develop a well thought out AUP coupled with infrastructure that is designed to help the employee avoid those dastardly security pitfalls. A good AUP should include specific guidance on allowable digital and physical behavior: Don’t download that unapproved software to company assets, Don’t leave your laptop unattended at that coffee shop, Don’t binge watch Tiger King while at work. A good AUP also avoids unrealistic requirements (even if they make sense from a security standpoint!) For instance, unless your company universally issues hotspot capability, restricting the use of unknown WIFI networks, while not a bad idea, is probably not feasible. Employees will go to lunch, travel, and stay in hotels with that sweet, sweet free WIFI. An AUP that unrealistically restricts something that is almost unavoidable like this is simply inviting noncompliance. In situations like that, where technical solutions are available, it is incumbent on the IT and security teams to identify and implement a solution that safeguards the employee. (There are a number of VPN solutions that capably address this issue. Again, call us, we can help!)
Once you have a workable AUP, you can’t stop there. Your end-user should be regularly trained on the AUP. This training should include an explanation of the consequences of violating the AUP along with a legally sufficient acknowledgement by the employee (contractors too!) that they will abide by the AUP.
Lastly, you need to regularly review your AUP in conjunction with the end user. Get out of that office and talk to your customer, the end user! Identifying friction points should be critical information to Security and IT folk. It helps proactively identify and prevent violations in areas where either the employee cannot perform their duties while complying (Like the above engineers) or the AUP no longer makes sense in the context of your company’s operating processes.
Each company’s AUP will be a unique and living document. Boilerplate or generic AUPs rarely work as a long term solution. Recall, the reason for an AUP (along with the underlying policy, procedure, and standards library) is to provide the foundation of a mature Security and IT function. It’s not rocket science (See what I did there?) but generating a useful AUP, let alone a complete policy library, can be daunting. We can help. Give us a call.