How to develop a robust cyber security policy

The number of data breaches over the past few years shows just how many organisations are struggling to address the rapid rise in cyber crime. Investing in new technologies and finding qualified staff will certainly help prevent breaches, but both of these measures hinge on the effectiveness of an organisation’s cyber security policy.

Policies dictate how an organisation approaches security – from the infrastructural measures it puts in place to its employees’ data protection responsibilities.

Cyber security infrastructure

An organisation’s systems and infrastructure “tell IT and other administrative staff how [to] protect the company’s data (which controls will be used) and who will be responsible for protecting it,” writes software company Malwarebytes. It adds that all cyber security policies should include information on:

  • Which security programmes will be implemented. For example, in a layered security environment, endpoints should be protected with antivirus software and firewalls
  • How updates and patches will be applied to limit the attack surface and plug application vulnerabilities. For example, organisations should regularly update browser, operating system and other Internet-facing applications
  • How data will be backed up. For example, organisations might choose to automatically back up their data to an encrypted Cloud server with multi-factor authentication

Cyber security policies should also identify who issued the policy, who is responsible for maintaining and enforcing it, who will respond to and resolve security incidents and which users have admin rights.

Employees and your cyber security policy

No matter how prepared an organisation thinks it is, its employees will always be a wildcard. People’s susceptibility to phishing scams, their propensity to expose data, their inability to create safe passwords and other similar weaknesses mean that organisations must help employees follow best practice as much as possible.

“Your cybersecurity policy should clearly communicate best practices for users in order to limit the potential for attacks and ameliorate damage,” advises Malwarebytes.

“They should also allow employees the appropriate degree of freedom they need to be productive. Banning all Internet and social media usage, for example, would certainly help keep your company safe from online attacks but would (obviously) be counterproductive.”

Malwarebytes recommends that organisations have policies addressing:

  • How to spot social engineering threats, such as phishing
  • Acceptable Internet use
  • How remote workers should access the network
  • Requirements for secure passwords
  • How to report security incidents

Organisations should also address what happens when an employee doesn’t follow protocol. If the employee deliberately flouted the rules, the organisation should discipline or fire them, but it’s important not to punish someone for inadvertently failing to comply. As cyber security expert William H. Saito writes:

“Making a user who has been compromised feel like the ‘bad guy’ will only exacerbate an already bad situation. It can lead to an environment in which people try to fix issues themselves or, worse, simply hide or ignore them and, most importantly, fail to communicate the incident quickly.”

If an employee is unaware of their cyber security requirements, it indicates that the organisation hasn’t done a good enough job training its staff. Organisations should therefore conduct a training programme or review the effectiveness of their existing programme.

Get help creating your cyber security policy

If you don’t know where to begin when creating a cyber security policy, you should take a look at our ISO 27001 ISMS Documentation Toolkit.

This toolkit provides templates for all the documents you need to comply with ISO 27001, including policies, procedures, work instructions, and records.

Take a free trial of our ISO 27001 ISMS Documentation Toolkit >>