Cyber security is a top concern for everyone in the company, not just the IT department and executives. Everybody plays a role in keeping the company’s IT system safe. One way to do that is to educate employees, board members, executives, partners, consultants, and other entities with access to your online systems through a cyber security policy that will lay out their obligations and what they should do in case of a security emergency.
A company's cyber security policy should establish the standards for any technological business activities from passwords to email behaviours.
A cyber security policy usually starts with an introduction where it highlights the context of the whole document, reasons why the company developed the policy and for what purpose.
Then, followed by terminologies and definitions that outline some vocabularies used in the policy that might be too technical to a non-IT reader.
Next, it should provide a series of common cyber incidents and the initial responses if they encounter them.
The fourth part of the policy should describe the roles and responsibilities of the individuals involved in managing cyber incidents.
Lastly, it should outline the general security guidelines that everyone in the company should implement to reduce cyber risks and incidents.
In this article, we’ll only cover the security guidelines that should be included when you create your policy. Of course, you can always add custom guidelines since every company is unique. We’ll include a cyber security policy template that will help you start your way to having a more secured IT.
Why your company needs a cyber security policy?
Cyber security policies are mainly for the sake of the employees. They are the weakest links when it comes to a company’s security. Without a cyber security policy in place, you’re putting your company at risk of cyberattacks and data breaches. Not having the appropriate policy against basic security mishaps will be costly to your business in terms of profit and reputation.
Cyber-attacks are increasing and becoming more vicious as you’re reading this article right now. As a brilliant decision-maker, know how essential it is to protect the integrity of your business, especially your confidential data. One way to do that is through an organised and concise cyber security policy.
Cyber security policies are essential for companies of any form, but they’re especially vital for businesses in industries like finance, healthcare, and legal. These companies handle critical customer data, and they’re liable to legal sanctions if their security is substandard.
Vital things to include in your cyber security policy
We’ve created a breakdown of everything you’ll need to include in the guidelines section of your cyber security policy. This list will only include the general frameworks and of course, feel free to add more guidelines that will fit your company’s operations.
Passwords help keep your accounts secured, but if passwords seem easy to remember, they’re probably easy to hack as well. By providing a password guideline in your cyber security policy, you can carry out good password practices that are beneficial to your company’s cyber security.
Your password guideline should include the following template:
- Password standards
- Passwords must contain at least eight characters
- All passwords must have upper and lower-case letters, symbols, and numbers
- Enable two-factor authentication to all your accounts
- Password security
- Don’t use the same passwords for every account
- Refrain from using office passwords to your accounts
- Use the provided password management tool to generate and keep all your passwords
- Don’t share your password manager credentials with other employees unless necessary
- Refrain from writing down your passwords. If you feel the need to write down credentials, destroy the paper immediately after
- Updating passwords
- We recommend updating passwords to all your corporate accounts yearly
- Use the same guidelines stated above when creating your new passwords
- Update your password manager with your new credentials
If your company gathers and processes sensitive client information, securing their data from unauthorised sharing and access should be your responsibility. By providing a data control guideline in your cyber security policy, you can guard the confidential information shared inside and outside your organisation.
Your data control guideline should include the following template:
- Refrain from sharing/transferring confidential data unless necessary
- If a data transfer is required, ask [Security Specialist’s name] for assistance
- Always use the company’s private network when sharing sensitive data
- Only share data with authorised people. Limit file access only to the necessary people
- Enable full-disk encryption before storing or sharing confidential data
- Keep physical storage devices in the office
- Outdated data should be deleted and run through a file-shredder tool
- Encrypt your physical and cloud backups to prevent any data leaks in case your backups are hacked
- Have more than one copy of your data. Follow the 3-2-1 backup strategy when synching your local data to the onsite and offsite backup
- Review the data access list from time to time. Apply the appropriate actions when there’s a need e.g., revoke access to employees who are no longer involved in a project
- Report suspicious emails or attempted cyber-attacks to [Security Specialist’s name] to investigate and resolve the issue immediately
- In the event of cyber incidents like scams, data breaches, or ransomware, report the occurrence immediately to [Security Specialist’s name]
- Always reach out to [Security Specialist’s name] for any questions or concerns regarding the handling/sharing of sensitive data
Your employees might put your company’s data at risk if they access company accounts using their devices such as computers, smartphones, or tablets. By providing a device control guideline in your cyber security policy, you can reduce the security risk to your data, whether accidental or intentional.
Your device guideline should include the following template:
- Refrain from accessing company accounts using personal devices. Bring your company-provided laptop if you need to work remotely
Theft or loss
- In case of device theft or loss, report the incident to your manager as soon as possible
- Set up passwords to your work devices
- Look after your work devices properly as if it’s your own. Don’t leave devices unattended in your vehicle or public places
- Make sure to lock devices if not in use
- Avoid inserting personal storage devices on your work computers such as USB Flash Drives, external hard drives, and hard disks. Unless necessary, scan all removable devices for viruses first
- Regularly run anti-virus and anti-malware scans to your device
- Keep the device up to date with the latest patches as soon as they’re available
- Shut down devices (not sleep) when you’re not in use
Scams and malware usually spread through emails. Many have fallen victims to phishing and ransomware worldwide. Companies need to be one step ahead of these cybercriminals to protect their data. By providing an email safety guideline in your cyber security policy, you can avoid malicious software and email scams.
Your email safety guideline should include the following template:
- Only share your work email address to people you trust
- Be wary of opening emails from contacts you don’t know
- Check if the sender’s name is consistent with their email
- Inspect the email’s domain if it is the company/vendor’s legitimate domain
Email Body and Attachments
- Be suspicious of attachments and links from the emails you receive. Especially if they’re from contacts you don’t know
- Always be on the lookout for inconsistencies, grammar mistakes, spammy messaging, and too good to be true promises
- Hover over hyperlinks to check the URL it’s liked to
- If you think an email is legit, you can always refer to [Security Specialist’s name] to confirm
- Enable anti-spam and anti-malware scanners to flag spam, scam, and junk emails
Cyber incident response
Having a cyber incident response plan is better than having none. Whether you have the best cyber security in place or not, there should always be a backup plan in case something hits your IT security. By providing an incident response guideline in your cyber security policy, you’ll know what to do in case of any cyber emergency and help mitigate the damage as much as possible.
Cyber incident responses vary depending on the type of incident and the staff roles involved. Sit down with your IT team to determine the appropriate actions to take and maintain business operations while dealing with a cyber disaster.
Yearly policy update
As technology changes, your company’s approach should also change with it. We’ve seen many companies have widely outdated cyber security policies due to the belief that it’s an established document that will serve its purpose for years to come.
Keep in mind that as technology evolves, so will cyber risks. Hackers are always trying new ways to effectively infiltrate their target’s IT in more ways than one. Thinking that you’re safe from the devastating drawbacks of cyberattacks puts your company at risk. And failing to update your cyber security at least once a year puts unnecessary vulnerabilities in your IT.
Everyone is at risk of cyber threats. The key to staying on top of your cyber security is to review and maintain your cyber security policy regularly (at least once a year). Sit down with your IT manager and review (old and new) cyber threats to reduce your risk to them.
It’s best that your schedule this in your corporate calendar to remember this critical cyber security responsibility.