The Importance of having a Cyber Security Policy:
Riding a bike with your helmet on, looking left and right before crossing a busy road, not poking the beehive outside your bedroom window with a stick. These are some pretty bog standard decisions to make, right?
So why, in a digital world where almost 50% of UK business are affected by a cyber attack, do we still fail to implement a robust Cyber Security policy?
Laziness? Lack of Knowledge? Failing to modernise with change?
Cyber Security experts Malware Bytes highlight that it is essential for all companies to develop and maintain a clear and robust Cyber Security Policy in order to safeguard critical business data and sensitive information. This should be done in order to protect reputations and discourage inappropriate behavior by employees.
Many companies already have these types of policies in place. However, they may need to be tailored to reflect the increasingly high impact of cyber risks on everyday transactions, both professional and personal. As with any other business document, Cyber Security policies should follow good design and governance practices.
What should these look like?
Not too long so they are unusable and not too short so that they become vague and meaningless. Seems pretty simple? Additionally, it is also important to review these policies regularly to ensure that they stay pertinent as your business needs change.
Where do I start?
Getting started on picking your Cyber Security Policy is often the most difficult part of the whole process. We have included a few tips on some best practices in order to give you a head start!
Establish security roles and responsibilities:
One of the most effective and least expensive means of developing a robust Cyber Security policy is to establish clear guidelines of the separation of roles and responsibilities with regards to systems and the information which they contain. Many systems are designed to provide for strong role-based access control(TBAC). However, this tool is of little use without well-defined procedures and policies to govern the assignment of roles. At a minimum, such policies need to clearly identify company data ownership and employee roles for security oversights.
In addition to this, it may also make sense to create separate policies governing who is responsible for certain types of data. For example, a business which handles large volumes of personal data from its customers could benefit from identifying a sole manager for customer’s private information.
Privacy is important for any business and their customers. Have a strong level of trust in relation to your business practices, products and secure handling of your clients’ unique information can strongly impact your profitability.
Establish an employee internet usage policy:
Cyber Security policy varies for every type of business, as does the limits on employees internet usage whilst at work.
Guidelines in relation to internet usage policy should allow employees the maximum degree of freedom they require in order to be productive. For example; short breaks to surf the web or perform online tasks have been shown to increase productivity. Alongside this, rules of behavior are necessary to ensure that employees are aware of boundaries- thus keeping both themselves and the company safe.
- Personal breaks to surf the web should be limited to a reasonable amount of time and activities.
- If you use a web filtering system, employees should have a clear knowledge of why their web activities will be monitored. Furthermore, It should also be made clear what type of sites are deemed unacceptable by your policy.
- Workplace rules of behavior should be clear, concise and easy to follow. Employees should feel comfortable using the internet without making judgment calls as to what may be appropriate.
Establish a Social Media policy:
Social media presents a number of risks that can be difficult to address using technical or procedural solutions. A strong social media policy is crucial for any business that seeks to use social networks to promote its activities online.
At a minimum, a social media policy should cover the following areas;
- Specific guidance on when to disclose company activities and what kind of details can be discussed in public forums.
- Additional rules of behavior for employees using personal social networking accounts. This should make clear what kind of posts could cause risk to the company
- Guidance on the acceptability of using a company email address to register for social media sites
- Guidance on selecting strong passwords for social networking accounts
All users of social media need to be aware of the risks associated with social networking tools and the types of data that can be automatically disclosed online. Taking time to educate your employees on the potential pitfalls of social media use may be the most beneficial tool.
Identify potential reputation risks:
All organisations should take the time to identify potential risks to their reputations and develop a strategy to mitigate them.
Specific types of reputational risks may include:
- Being impersonated by a criminal organisation
- Having sensitive company or customer information leaked to the public via the web
- Having inappropriate employee actions made public via the web or social media sites
Should everyone have a Cyber Security policy in place?
The simple answer is yes!
All business should set up a policy for managing these types of risks and plan how to address such incidents. A Cyber Security policy should cover a regular process for identifying potential risks to the companies reputation in cyberspace and practical measures to prevent those risks from materialising.
Consequently. If they do materialise, plans must be in place to respond and recover from incidents as soon as possible.