Listen to this article
Process, policies and procedures. Three words that often induce stifled yawns. But when it comes to cyber security you really need to be fully awake to stay ahead of any potential company breach. Having a well communicated plan in place (as boring as that sounds!) is fundamental.
Writing a policy can seem daunting but it doesn’t have to be. Often the simplest processes and procedures are the quickest adopted and by default, most successful.
I don’t need a cyber security policy, do I?
In short, only if you want to be able to protect your company’s data, assets, people and reputation. It doesn’t matter if you are a small company with a handful of employees or work for a multi-national organisation, your data is valuable and cyber criminals don’t discriminate. We all play a key role in protecting our company from cyber-attacks and communicating this responsibility throughout the business, no matter the size, can be done simply by formalising a cyber security policy.
Who should adhere to the policy?
I cannot over emphasise this point. Having a positive cyber security culture requires EVERYONE to be onboard and that includes senior management. We so often hear about management ignoring security policies or asking for an exception to be made for them to bypass a process. Adopting a ‘do as I say, not as I do’ strategy rarely ends well. Only leading by example, will result in everyone else taking security seriously.
What should be included in a policy?
While larger organisations will have a lengthy and comprehensive policy, for smaller businesses, a cyber security policy can be just a few pages that cover basic safety practices and prioritise the areas of importance.
A cyber security policy, can mean different things for different organisations but in general all should address the following:
Acceptable use policy (AUP)
Do you have a clear policy for email usage? For example, email should only be used for work purposes, you should not use your work email to sign up for non-work accounts, you cannot auto-forward emails to third-party providers.
What about internet usage? Common access is for work related activity and approved personal use. How do you define personal use? Is it OK for staff to visit the BBC website, but not Amazon? It may seem strange to say, but you need to tell staff they can’t use it for fraudulent/criminal activity or accessing inappropriate websites. Reminding staff that your company, or IT provider, keeps an audit log which is periodically reviewed.
Also address password requirements, handling sensitive data and social media use. All of which are important to protecting your business from a cyber-attack.
Access control policy
Use controls to limit access to only necessary systems and data, ring fencing particularly sensitive HR and financial information. Do you have a policy for on and off boarding members of staff? Are you deactivating accounts within acceptable timescales of someone leaving the company? You could be at risk if ex-employees are still able to logon using company credentials.
Bring your own device policy (BYOD)
Allowing employees to use personal devices can create weaknesses in network security. Do you know if they are connecting to unknown or private networks? When was the last time they ran software updates? Have they set 2FA?
Remote access policy
How do you want your employees to access systems when they are away from the office? Do you have a private VPN connection? Do they know how to access it? Do they know not to use public wi-fi?
In addition to the above a robust cyber security policy will also include a data breach response and disaster recovery plan.
If you are reading this and thinking “we have these policies, but everyone ignores them”, then you need to ask yourself when was the last time they were reviewed to make sure they were fit-for-purpose? Technology and how we use it changes all the time. Think back to how you did business in February 2020 and compare it to how you did businesses just a month later. Security only works if it is usable.
Even if you are not responsible for writing policies within your company, you can still raise the question regarding their use and effectiveness.
If you would like to know more about how to make your business more cyber-secure, then please drop me a line at firstname.lastname@example.org.