I see this all the time. Executives say “we do not restrict our users from going to inappropriate web sites” or “we do not force our employees to change passwords—some have had the same password for 10 years.”
Executives at companies who have never experienced a breach are the ones who feel they cannot enforce their policies.
After a breach or a lawsuit, I see the executive iron fist slam down and things start happening like:
- Forcing employees to sign an acceptable usage policy that forces them to agree to safe data practices.
- Training for employees on security training.
- Technology protection like web site filtering, data loss prevention, and computers that force users to follow the rules by restricting unauthorized behavior as much as possible.
Isn’t it sad that many companies have to go through the “bad thing happening” before they take action?