What should our policy look like, and where do we start?
Most companies we interview weekly do not know the importance of having a solid set of policies to protect their business. We find that most rely on the company handbook to protect them from unwanted internet surfing, for example. I would say 99% of the time, when we ask, do you have an acceptable use policy or DR (disaster recovery) policy, the answer is Ummmmmmm, no. We are here to say you should and why! The policies help set the standard for all employees' cyber hygiene and increase productivity when you think about it.
Operationally, businesses should expect disruptions in their day-to-day. But what if you can help guide all employees to protect data and your client information? By setting the tone of what is allowed and best practice! If you have a policy that people understand when and what to do with cyber, it's a WIN /WIN. Employees should also be trained on regular biases to know what to look for.
Acceptable use policies help define what your company will allow. Are you ok with online shopping, Facebook, TikToc during the workday? Other policies should also include but not limited to what they do if they receive a suspicious email? If you never define your password policy, they may still have the same password from 3 years ago. What is the harm in having the same password, you may ask, well, is your Netflix password the same password as your email account? What could go wrong with the three people you shared your account? Data storage policies are also essential. What is allowed to be copied and stored on flash drives, external hard-drive, laptops? You also have to consider all the external cloud storage such as DropBox, Box, ShareFile, and others. What do you allow, and do you fall into other compliance that would not allow this, such as CMMC?
Today's landscape has changed; look at how many people you know now work from home part-time or full-time. This change has also changed the security risk. Companies need to have defined approved remote connections, remote access, and even data. Other forms of data at home now could be on paper. What was just printed to review, and how was it destroyed?
At the end of the day, the policy is not here to rip the fun out of an office but more to set guidelines. Employee and customer data sit in almost all networks. It starts with the policy, training, and network security to prevent breaches or leaked information in the wrong hands.
Customers trust that businesses will fully protect their personal information - many databases store credit card numbers and addresses, family information, birthdays, and more. Chances are, by the time a business realizes they have a breach, months of data have already been compromised. All suspicious activity should immediately be reported to your IT team to review. You may think I will call them tomorrow, its 5:30 pm, DON'T. This needs to be checked out now because the damage needs to be minimized. Again this would be part of the policy, who to call, emergency contact phone numbers for this exact reason.
To sum it up, policies are not the most complicated items out there. We recommend that you talk to your trusted expert for what is needed in your cyber policy. They need to cover you and your client to ensure everyone understands what is allowed and then how to follow it. After the policy comes execution, this needs to be trained and practiced daily. You can even set specific policy's for example, in your servers to enforce password policies and user lockouts. It will simplify and removes some of the gray areas with how long my password needs to be, and can I use the same one three times in a row!
Utilizing policy will help combat the threats, hackers, downtime, data loss, breaches, and ransomware, just to name a few.
It could happen to you. Protect your business inside and out.