Introduction
The team confirms that information security policies are good. Wireless networks are secure, endpoints are protected, and access rights are documented. But then it happens…
Fraudulent activity is identified across customer accounts. Then the calls come. Many customers are impacted. Forensics teams are involved. A data breach is traced to an insecure wireless access point. Attackers have been sitting in a car park, casually connecting to the wireless network for months, accessing customer records and extracting data at their leisure.
This introduction is based on an event that has happened. The TJX Group (parent of TK Maxx), suffered a huge data breach, exposing over 45 million records and costing billions in damages. In this article, we focus on the theme of policy – we reference a case study, provide general guidance, and recommendations.
What is Policy?
Policy is about having rules to protect and secure an organisation based on risk. It helps embed security into daily operations, support staff behaviour, and verify that controls are working as intended. By turning policy into practice, organisations can strengthen accountability, reduce human error, and build a culture of compliance.
Relatable Case Study
- Organisation: TJX Companies Inc. (parent company of TK Maxx)
- Incident: Between 2005 and 2007, attackers exploited weak encryption on a wireless network. Using a laptop and antenna, they intercepted data between handheld devices and store systems, gaining access to central databases. Over 45 million customer records were stolen, including credit and debit card details.
- Financial Implications: Estimates vary, with $100 per customer record being an average figure
- How it Links to the theme of policy:
- Mandate data protection and encryption – policies can be used to avoid the use of outdated solutions and technology
- Promotes security awareness – effective policy requires regular cybersecurity training, awareness ,and reporting
- Defines roles and responsibilities – policy can help define roles, escalation paths and communication protocols
- Source: https://www.bbc.co.uk/news/1/hi/business/6508983.stm
General Guidance
- Clear, tailored security policies can be created based on organisational risk and needs
- Policies should be easy to read and understandable
- A single document can be appropriate – depending upon organisational size, complexity and security maturity
- Policy review, approval and ongoing maintenance are all key steps in effective cyber security
- Policies must be read and understood
Recommended Actions
- Keep it simple and secure
- Use a risk assessment and your risk appetite to help drive the requirements for your organisation
- Create clear and appropriate policies – right-sized for your organisation
- Establish a formal review and approval process – validate relevance and effectiveness
- Commit to continuous improvement
- Seek guidance and support from an IASME Certification Body and Certified Information System Security Professional (CISSP) – such as RB Consultancy Ltd
How We Help
At RB Consultancy Ltd, we support organisations by:
- Providing templates, guidance, and experience to support
- Explaining what security measures are available and how they can help
- Collaborating to implement controls to support the requirements
- Assessing and issuing certifications – such as Cyber Essentials and Cyber Assurance
- Contact us for consultancy and certification support
Conclusion
Policies can help set the rules. Effective cyber resilience relates to policies being understood, enforced, and embedded into day-to-day activity. The TK Maxx case study helps demonstrate how effective policy can help avoid major security incidents.
By creating right-sized policies with regular reviews and updates, proactive security measures can be implemented, and continuous improvements can be made. Having an effective security policy is not about ticking boxes; it’s about creating a culture where security is understood and appropriate security measures demonstrated.
RB Consultancy Ltd helps organisations understand the importance of policy – we support the implementation of appropriate measures to help build cyber resilience. We are an IASME Certification Body and NCSC Assured Service Provider that provides services to empower and protect organisations. Holding CISSP and ISO 27001 lead implementer certification, you can Contact Us for assistance with cyber security resilience.
This blog is written by Remo Belisari, Managing Director of RB Consultancy Ltd. He is an experienced cyber security professional and cyber advisor. Remo holds certifications in CISSP, ISSAP, ISO 27001, Cyber Essentials, and IASME Cyber Assurance. He has many years of experience in IT and cybersecurity. He has supported organisations worldwide. His work includes helping a Fortune 500 company in the USA and over 100 organisations across the UK. The views in this blog are his own. They do not necessarily reflect the views of RB Consultancy Ltd, its clients, partners, or affiliates. The content is for general information only.