Technological defences and staff training are two of the most frequently touted security measures for preventing data breaches, but their effectiveness is dependent on the way organisations implement them.
This is a lesson organisations must learn quickly amid the COVID-19 pandemic, with a series of new information security risks surrounding their new, temporary work set-ups.
Many employees are being asked to work from home, including some who are using their personal devices.
Meanwhile, many organisations are already seeing depleted workforces due to illness or furloughs.
That means the remaining staff have to pick up the slack – and with IT teams having less oversight over the now-dispersed organisational infrastructure, there is less they can do to prevent the mounting threat of security breaches.
So how can you stay on top of these requirements during this turbulent time? The answer is to create or update an cyber security policy.
What is a cyber security policy?
A cyber security policy outlines an organisation’s cyber security defence strategy. Specifically, it explains the assets that must be protected, the threats to those assets and the security controls that have been implemented to tackle them.
It’s only by documenting these that you can be sure that your organisation is approaching cyber security comprehensively and efficiently.
What a cyber security policy should include
All cyber security policies should include information on:
- Which controls the organisation has implemented and the threats they address. For example, endpoints should be protected with antivirus software and firewalls
- How updates and patches will be applied to limit the attack surface and plug application vulnerabilities. For example, organisations should regularly update browser, operating system and other Internet-facing applications
- How data will be backed up. For example, organisations might choose to automatically back up their data to an encrypted Cloud server with multi-factor authentication
Cyber security policies should also identify who issued the policy, who is responsible for maintaining and enforcing it, who will respond to and resolve security incidents and which users have admin rights.
Employees and your cyber security policy
No matter how resilient your cyber security strategy is, you must always account for employees’ susceptibility to mistakes.
This might be the result of carelessness – such as misplacing files – or the result of targeted attacks from crooks. Phishing is one of the most common tactics in cyber crime because it circumvents many of the measures that organisations adopt to protect their organisation, instead going directly at employees.
Those who are unable to spot the signs of a malicious email will expose their sensitive information or leave the organisation open to catastrophic damage, such as a ransomware infection.
A cyber security policy will mitigate these risks, explaining to employees how they can protect confidential data in various scenarios.
It should also address what happens when an employee doesn’t follow protocol. The specific actions will depend on the circumstances, but in most cases you’ll discipline, or possibly even fire, some for deliberately flouting the rules.
However, as cyber security expert William H. Saito notes, you should be more cautious if the breach was an honest mistake:
Making a user who has been compromised feel like the ‘bad guy’ will only exacerbate an already bad situation.
It can lead to an environment in which people try to fix issues themselves or, worse, simply hide or ignore them and, most importantly, fail to communicate the incident quickly.
Employers should also take some responsibility when an employee makes a mistake.
In most cases, insider error isn’t simply an isolated incident but a sign that the organisation’s staff awareness training isn’t working properly – whether that’s because the course content isn’t adequate or that sessions aren’t being performed regularly enough.
Part of your response to a security incident should be to review all of your defence measures, which includes your cyber security policy, training programmes and technologies.
Creating a cyber security policy
The content of your policy will depend on specific issues that you’ve identified when performing a risk assessment. That said, there are some universal issues that every organisation should account for, such as:
- Software updates
Software providers regularly release patches to fix identified vulnerabilities. Once the update is announced, the vulnerability is made public – which means cyber criminals can look to exploit it.
That’s why organisations must have a patch policy in place to ensure updates are applied as soon as they are released.
- Acceptable Internet use
Employees should be given a degree of leeway when it comes to accessing non-work-related content on company devices; after all, everyone is entitled to breaks.
However, organisations should be careful about just how much freedom they’re afforded. Untrustworthy sites, especially those that encourage users to download content, can be used to infect the device with malware.
- Remote access
Remote working has become a standard part of modern business, thanks to the growing popularity of working from home and on the road.
Unfortunately, public Wi-Fi and employees’ home connections are less secure than your internal network, because it’s not subject to the rigorous defences you’ve implemented, such as firewalls.
Likewise, unlike your internal network, there’s no guarantee that only your employees have access.
As such, you should establish controls that prevent remote workers from accessing sensitive company information. This reduces the damage in the event that an employees’ account is compromised.
- Creating strong passwords
Weak passwords are one of the biggest security problems that organisations face. Even though most employees are aware of the importance of strong login credentials, too many of them don’t think beyond obvious phrases such as ‘123456’ and ‘qwerty’.
Your cyber security policy should urge staff to create stronger passwords by outlining rules.
There are several schools of thought on what makes a strong password, the most common of which is that credentials should contain a combination of at least eight upper- and lowercase letters, numbers and special characters.
The problem with this method is that the result can be hard to remember. “Did I replace the ‘o’ with a ‘0’ or the ‘l’ with a ‘1’?”, for example.
One way around this is to make your password a code; a popular technique is to use the first letter from a sentence that uses each of those characters. For instance, “My first son was born in July ’01” becomes “MfswbiJ’01”.
You can also use the length of your password to your advantage; every additional character you add is one that a cyber criminal has to guess.
As such, three random words – with no special characters or numbers – is often more secure than a complex cipher such as the example above.
Your policy doesn’t need to specify one approach over another; some employees will be more comfortable with one approach and others with an alternative.
The important thing is that staff break out of the habit of simple passwords that can be cracked instantly.
Does your policy account for your new work environment?
The most significant change in the way organisations are operating during the COVID-19 pandemic is the number of employees working from home.
Remote workers face a wide variety of challenges – particularly when there aren’t people still in the office who can pick up tasks that would require the security benefits that come with working on the premises.
Our Remote Working Policy Template provides essential documentation on the issues you must address to protect you and your staff during the pandemic.
With this cyber security policy template, you can ensure that employees understand their responsibilities while working from home and take appropriate steps to keep their devices secure.
It includes guidance on topics such as password management, backups, the use of unauthorised software and device maintenance.
A version of this blog was originally published on 3 January 2018.