Often is the simple answer. Cyber security threat landscape is constantly changing, and policies and procedures need to be updated on a regular basis to address these changes. The workplace is also constantly evolving. At the start of 2020, who would have thought that a global pandemic would force most corporate offices to close and resume business with a remote workforce?
This is the change that COVID-19 brought with it for many businesses. The threat landscape changed as well, as hackers were busy crafting scams to mimic announcements coming from the World Health Organization (WHO). So, not only did the attack surface change, but some of the methods employed to attack have also changed. Did your organizations cyber security policy also pivot to accommodate these changes?
The dangers of not updating your cyber security policy is that it can leave you vulnerable to attacks, and potentially put you out of compliance with government and industry standards. According to Infosec Institute, you should be reviewing your policies at least once a year. Additionally, any of the following reasons should trigger a policy review:
- New branches or offices are opened
- New enterprise applications, network devices or services are added or updated
- New products or services are added, especially in cloud-based industries
- Systems are retired or decommissioned
- Changes are made in when or how employees work, such as offering a “bring your own device” mobile phone or computer policy, core work hours are changed or when employees are offered the ability to work remotely
- Services or operations are outsourced
