Best Practices for Finding and Closing Policy Gaps

A few years ago, one of our clients experienced a security incident. An employee took a photo at work and posted it online, revealing intellectual property on the open internet. As dire as that sounds, the damage was unintentional: a group of employees at a social event took a selfie that happened to capture a project they were working on in the background.

In this case, the incident was resolved quickly and without incident. Someone at the company saw the photo and took it off social media. No one in the photo got in trouble. They hadn’t meant to post proprietary information and, as it turned out, even if they had acted maliciously, they didn’t violate company policy: the organization’s communication policy was so old it didn’t cover smartphones, social media, or selfies at work.

That’s a common problem when policies aren’t reviewed regularly; technology changes before the policy is updated.

Why should companies keep policy updated?

Policy can cover anything: from employee travel to background checks to emergency plans and procedures. When policies are put in place, they’re usually written, reviewed, and approved by a committee, but unless a review process is put in place, those policies can be forgotten and fall out of use, or they may not keep up with the times.

For example, information security policies from only a few years ago may not cover AI, creating significant holes in your security posture.

Best practices for updating company policy

The unfortunate truth is that if you’re not keeping your policies updated, you’re not being proactive about security. There are, however, several steps you can take to ensure every policy is reviewed and updated regularly without turning updates into a daunting task.

1. Review every policy annually. Make a list of all company policies and create a monthly schedule. Every month, review a handful of policies. This way, all your policies are reviewed annually, but you’re not trying to review every single policy at once.

2. Be sure that each policy is clearly stamped with a creation date and revision dates. This will help you keep track of changes.

3. Don’t simply focus on compliance. Compliance focused companies tend to be reactive. You want to review every policy you have and also examine any area that might require new policies, like a policy dealing with Agentic AI. Policy review can help your organization be proactive about foreseeable risk.

4. Make sure your employees can find your policies. Policies should be accessible to everyone in your organization. Make sure everyone in your company knows how to find yours, and knows if major changes have been made to a policy. A good way to keep track of all policies is to list them in a database that controls version history. Security risk assessment software can act as an inventory of all your policies and intangible assets, so that you can see at a glance what your policies are and when they were last updated.

5. Test your employees on competency. Sometimes it’s not enough to have a policy. Sometimes it’s important to make sure that your employees know the policy by testing them. This is particularly vital if you’re testing employees on compliance issues, or on a security issue, like cyber hygiene. Choose a training that’s engaging, aligns with your policies, and is administered often, rather than once in a long while.

How damaging can an outdated policy really be?

An outdated policy might not seem harmful, but they can be, and the damage is entirely preventable. The key is to treat policy as a living part of your risk program.

Keeping policies current, accessible, and understood turns them from dusty documents into practical tools that reduce real world risk. It helps close the gap between how work is supposed to happen and how it actually happens today, on smartphones, on social platforms, and increasingly alongside AI.

Circadian Risk helps organizations do exactly that. Our platform gives you a clear inventory of your policies, visibility into when they were last reviewed, and insight into where gaps may exist as technology and threats evolve. Combined with training and testing that reinforces policy in practice, not just on paper, Circadian Risk helps you move from reactive compliance to proactive security.

If your policies haven’t kept up with how your people work, now is the moment to change that.

Let Circadian Risk help you turn policy into a living defense rather than a forgotten file.

Contact us for your risk-free demo today.

About the Author

Daniel Young

Founder & Chief Innovation Officer

Daniel has been a security and risk advisor for more than 10 years, and is passionate about helping companies to better understand their risks to undesirable events on a daily basis. Dan previously served as the Regional Bioterrorism Coordinator for District 1 in Michigan, where he was instrumental in preparing communities for catastrophic incidents. He has also acted as the Private Security Liaison for the City of Lansing’s Critical Infrastructure Team, which identified and documented deficiencies in the city’s critical infrastructure.

He is a Co-Founder of the CSO Risk Council, a think tank of seasoned security professionals and thought leaders with extensive experience in managing the physical security and risks of large enterprises consisting of multiple sites and whose mission is to create a better process to develop and share innovative solutions and pertinent information with organizations to improve safety and security risk by providing a forum to discuss best practices and recommendations for specific risk scenarios and to network with other enterprise security professionals.