Every company, regardless of size, should develop and maintain strong policies for critical data and sensitive client information. Companies need to not only protect their assets and reputation but also discourage inappropriate or malicious behavior.
Establishing policies and procedures are one of the most effective and inexpensive ways of averting cybersecurity crimes. However, many companies fail to put policies into place or adhere to them. The Ponemon Institute, in their 2016 report, “Security Beyond the Traditional Perimeter,” it was revealed that 79 percent of all companies who responded to their survey had cybersecurity policies and procedures that are non-existent, partially deployed, or inconsistently deployed.
While these documents in of themselves do not prevent cybercrime, they are an important step in the right direction. They assist in raising awareness and identify what needs to be done when cybercrime occurs.
Policy and procedure action items
Identifying the right information to put into a policy or procedure can be daunting, especially when it is something that is unfamiliar and not directly related to your core business.
Here are fundamental elements that should be included in any good policy and procedure document:
1. Establish clear roles and responsibilities
A key to the prevention of serious cyber security incidents is to establish a policy that clearly defines the individual roles and responsibilities with respect to systems and the information they contain. This includes the following:
- The necessary roles and the rights and limitations according to each role
- The employees or type of employee who should be allowed to assume each role
- If an employee holds multiple roles, the circumstances that define when to adopt one role over the other
There may also be a need to create a separate policy to govern responsibility for certain types of data. This data may include types such Personally Identifiable Information (PII) and credit card information.
2. Establish an employee internet usage policy
This policy should outline limits on employee internet usage in the workplace. This can vary widely from business to business, however, the guidelines should include the degree of freedom employees have to surf the web or perform personal tasks. These rules are necessary to ensure that employees are aware of the boundaries to keep both them and your business safe and successful.
Some things to consider when developing this policy:
- Limiting surfing to a reasonable amount of time and to certain types of activities
- If web monitoring is in use, employees should have a clear understanding of how and why their activities are being monitored. This helps to gain acceptance and raises awareness of what sites are considered out of bounds by the policy.
- Rules and guidelines need to be clear, succinct, and easy to follow. Employees should feel at ease when performing both job-related and personal tasks without having to ask or make a judgment call regarding what’s appropriate.
3. Establish a social media policy
Social media sites and applications present risks that can be difficult to address, especially when your company uses it to promote the business and communicate with customers.
Your social media policy, at a minimum, should include the following:
- Specific guidelines on disclosure of company information that could create risk for the company
- Guidance for acceptable customer communication. This includes replies to inquiries, responding to posts, or participating in discussion topics.
- Guidance on using a company email address to register or get notifications from social media sites
- Guidance on using strong passwords, since few sites enforce strong authentication policies for users. This should include guidelines on the reuse of passwords between sites.
- Include guidance on mobile device use
All users of social media need to be aware of the risks associated with its use and the nature of data that can be disclosed online when using social media. Taking the time to educate your employees on the possible dangers of social media use is one of the most effective tools in keeping your business safe.
4. Establishing clearly defined procedures for handling events
In the event that a cybercrime or policy violation occurs, clear and concise procedures for handling each type of occurrence are critical to mitigate potential threats or damage to your business and subsequently recover from it.
This procedure should include the following information:
- Establish a recovery team. This team has the authority and resources to directly address a cyber-security incident.
- Specific recovery activities including system recovery, application restoration details, or methods to activate alternate means of keeping your business going
- Specific disciplinary actions that may be taken when employee violations occur
- Specific details on when legal action is to be taken
A clear and easy way to understand policy and procedural documents can be a great tool in protecting your business, employees, and customers. It should also be a living document, regularly reviewed and updated to address the growth of your company, evolving threats, and infrastructure. Finally, it should be regularly shared with your employees, to gain buy-in and understanding of their specific role in keeping your business successful.