Headlines love stories about the big cyber-attack from reprehensible outsiders. These do happen way too often, but what we don’t hear about often enough is the overwhelming percentage of breaches are caused by an error or action of a staff member. Usually inadvertent, but sometimes malicious.
Where Do Employees Go Wrong?
Human mistakes happen, you can mitigate risk through policies and training and reduce how often they happen. However, while it may be difficult to eradicate them altogether, you can strategise to reduce their impact in the event that they happen.
So, what are the key areas where errors happen:
- Misaddressed emails
- Stolen devices – or personal devices without the right security
- Insecure home systems for remote workers
- Unhappy employees with malicious intent
- Employee’s identities hijacked by cyber criminals
What Security Policies Do You Need to Secure Your Business?
It’s not just one policy that you need to ensure the security of your business, but rather a group of policies that address critical areas that form your security program.
Acceptable Use Policy (AUP)
The AUP outlines both the practices and constraints that your employees using company assets need to consent to before they are granted access to your internet and network. Every new employee should sign one at the commencement before being given a network ID.
Access Control Policy (ACP)
Limiting access to information and data systems available to employees is standard. Not everybody needs access to everything so building in security stages that require different types of access is an additional level of security.
The ACP outlines these access types as well as:
- criteria for all user access
- how network access controls are mandated
- the software controls of your operating system
- corporate passwords and the required complexity
- how corporate systems are monitored and accessed
- how to secure any unused and unattended workstations should
- how access is cancelled when an employee exits the company
Change Management Policy
Having a framework for managing change within your organisation starts with your Change Management Policy. This documents how changes will be communicated throughout the business and how they will be conducted to minimise disruption.
Remote Access Policy
With more staff members working remotely, your Remote Access Policy is more important than ever. It outlines the ways that are acceptable for workers to remotely connect to your company’s internal network. You can also add BYOD guidelines to this document.
Email/Communication Policy
This policy covers how your employees are allowed to use the company’s electronic communications and can cover:
- blogs
- social media
- chat features
Information Security Policy
This is a high-level policy that covers a wide range of security controls. It is designed to ensure that all employees who do use any of the organisations IT assets and network are aware of and comply with all documented guidelines and rules.
Disaster Recovery Plan
How well you recover from an attack, or a crisis is a matter of planning rather than good luck. A comprehensive Disaster Recovery Plan outlines how any incident will be handled and triggers risk assessment and staff training to ensure its success.
Business Continuity Plan (BCP)
The BCP ensures that the Disaster Recovery Plan is being used effectively to restore your business following an attack or disaster. This includes all applications, data, and hardware that is vital to mitigate damage and restore business continuity.
A Few Last Words
Having these policies in place in your business, and combined with robust IT security solutions, will protect your business in the event of an attack and enable you to recover. Every business is different and it’s advisable to get expert assistance to ensure that you are fully covered.
