Stop a minute and think about your business
You probably have an employee handbook that details the policies within your organization. Policies that range from PTO and emergency situations, to dress code and company vehicle policies.
But do you have a cybersecurity policy? If not, you need one. You may be thinking to yourself, “cybersecurity policy? Why do I need that?” Your business needs a cybersecurity policy because hacking and unauthorized access to your business information are real and prevalent threats. Such threats can be initiated through social engineering attacks, which include phishing and spear phishing, business email compromise (BEC). And your employees are most likely to be targeted.
In fact, 60% of businesses in a survey conducted by HelpNet Security said they were or may have been attacked by social engineering in the past year. Of those businesses, 65% had employees whose credentials were compromised because of the attack.
By having access to employee credentials, hackers have the ability to access sensitive information, like financials, HR records. Additionally, hackers can use such access to continue additional social engineering attacks – going after your business partners, family members, and customers. A leak of this kind of information can wreak havoc on an organization.
Take the necessary steps in helping mitigate such threats and being prepared for such an attack by considering an up to date cybersecurity policy.
The steps can be broken into six sections:
- Get support from senior management
- Research and write your policy
- Receive support from colleagues
- Develop a monitor for the effectiveness of your policy
- Implement the policy organization-wide
- Identify current areas of compliance and prioritize areas of work
So, what can you expect with each step in the process?
Step 1 – Get support from senior management
Since most, if not all, business decisions are approved by those at the top of an organization, this is where your business needs to start to take those first steps toward a cybersecurity policy.
Getting senior management buy-in is crucial, especially since developing a cybersecurity policy will cost the company time, resources, and money. In addition, if the senior management is on board, implementation of the new policy will be much easier organization-wide.
Step 2 – Research and write your policy
Since no two companies are exactly alike, why should your cybersecurity policy be? It can be easy to go online and download a policy. But will the policy for Company A in the financial sector accurately cover all of your cyber bases if you’re in the healthcare sector? Probably not.
Do your due diligence and research what exactly you want in your policy. This can include scope, goals of the policy, attack response protocol, and the overall purpose. Find what works for your organization and build your policy to accommodate that.
Step 3 – Receive support from colleagues
Policy adaption isn’t something that can only be taken on by a few – it needs to be supported by everyone, and actively at that.
What does this mean? Everyone, no matter their role within your organization, needs to understand how they contribute to security within the company. This includes understanding risks, supporting the policy and working actively to be aware of the current cybersecurity risks that the business faces.
Once everyone is onboard, implementation will be much easier to do.
Step 4 – Develop a monitor for the effectiveness of your policy
Once your policy goes into effect, how do you know if it’s working? Monitoring of course!
Set up your monitoring to measure the effectiveness of your security policy. Monitoring can take the form of firewalls, network hosting, file systems to monitor what’s going on within your networks, apps, and even just walking around your office and identifying areas for easy access to a network.
Since each department has a different role within the organization, making sure the monitoring roles are defined based upon each department allows for ownership of the roles to take place.
Step 5 – Implement the policy organization-wide
Implementation, if possible, isn’t something that should be rolled out gradually. The policy should apply to the entire organization, leaving no department behind. Set a date, stick to it, and roll out the policy out at that time.
There will be hiccups, which are to be expected. Just communicate this fact prior to implementation and make sure you have the support in place to remedy the hiccups.
Step 6 – Identify current areas of compliance and prioritize areas of work
Your policy is in place, now what? Take a look at all of your policy measures and either based off third-party data or your IT department’s findings, develop benchmarks your cybersecurity policy should be meeting. Is the policy meeting these benchmarks? Is it not? If it is, great! Keep doing what you’re doing. If not, identify the areas you need to strength and make the necessary accommodations so you can be cyber secure.
Policies take a long time to develop and should be periodically reviewed and updated once developed. From the idea stage to the rolling out of implementation, the process doesn’t happen overnight. So be patient, ask questions, and keep plugging.
After all, your business will thank you in the long run.
Ready to start writing? Here are a few tips to developing your policy documentation.
- Ensure your policy is written in clear, concise, simple language. This is no place for technical language. The policy should be simple enough to be understood by a new employee.
- The policy is readily available to those who need it.
- The policy is regularly updated and reviewed annually.
- Policy changes are tracked or commented on.
- Don't include information that may be quickly outdated, like names.
- If you use an acronym, spell it out the first time you use it.
- The presentation is structured so that the reader can quickly focus on the aspect of policy or procedure relevant to their decision/task at hand.
- Use a flexible, modular outline to make the document easy to modify, and therefore keep up-to-date.
- Use labels to introduce key points.
- Assign Policy and Procedure Owners.