Technological defences and staff training are two of the most frequently touted measures for preventing data breaches, but their effectiveness is dependent on the way organisations implement them.
That means creating a detailed cyber security policy.
What is a cyber security policy?
A cyber security policy outlines an organisation’s cyber security defence strategy. Specifically, it explains the assets that must be protected, the threats to those assets and the controls that have been implemented to tackle them.
It’s only by documenting these that you can be sure that your organisation is approaching cyber security comprehensively and efficiently.
What a cyber security policy should include
All cyber security policies should include information on:
Which controls the organisation has implemented and the threats they address. For example, endpoints should be protected with antivirus software and firewalls
How updates and patches will be applied to limit the attack surface and plug application vulnerabilities. For example, organisations should regularly update browser, operating system and other Internet-facing applications
How data will be backed up. For example, organisations might choose to automatically back up their data to an encrypted Cloud server with multi-factor authentication
Cyber security policies should also identify who issued the policy, who is responsible for maintaining and enforcing it, who will respond to and resolve security incidents and which users have admin rights.
Employees and your cyber security policy
No matter how resilient your cyber security strategy is, you must always account for employees’ susceptibility to mistakes.
This might be the result of carelessness – such as misplacing files – or the result of targeted attacks from crooks. Phishing is one of the most common tactics in cyber crime because it circumvents many of the measures that organisations adopt to protect their organisation, instead going directly at employees.
Those who are unable to spot the signs of a malicious email will expose their sensitive information or leave the organisation open to catastrophic damage, such as a ransomware infection.
A cyber security policy will mitigate these risks, explaining to employees how they can protect sensitive information in various scenarios.
It should also address what happens when an employee doesn’t follow protocol. The specific actions will depend on the circumstances, but in most cases you’ll discipline, or possibly even fire, some for deliberately flouting the rules.
However, as cyber security expert William H. Saito notes, you should be more cautious if the breach was an honest mistake:
Making a user who has been compromised feel like the ‘bad guy’ will only exacerbate an already bad situation.
It can lead to an environment in which people try to fix issues themselves or, worse, simply hide or ignore them and, most importantly, fail to communicate the incident quickly.
Organisations should also take some accountability when an employee makes a mistake, as it suggests that staff awareness training is lacking – whether that’s because the course content isn’t adequate or that sessions aren’t being performed regularly enough.
Part of your response to a security incident should be to review all of your defence measures, which includes your cyber security policy, training programmes and technologies.
Creating a cyber security policy
The content of your policy will depend on specific issues that you’ve identified when performing a risk assessment. That said, there are some universal issues that every organisation should account for, such as:
Software providers regularly release patches to fix identified vulnerabilities. Once the update is announced, the vulnerability is made public – which means cyber criminals can look to exploit it.
That’s why organisations must have a patch policy in place to ensure updates are applied as soon as they are released.
Acceptable Internet use
Employees should be given a degree of leeway when it comes to accessing non-work-related content on company devices; after all, everyone is entitled to breaks.
However, organisations should be careful about just how much freedom they’re afforded. Untrustworthy sites, especially those that encourage users to download content, can be used to infect the device with malware.
Remote working has become a standard part of modern business, thanks to the growing popularity of working from home and on the road.
Unfortunately, public Wi-Fi and employees’ home connections are less secure than your internal network, because it’s not subject to the rigorous defences you’ve implemented, such as firewalls.
Likewise, unlike your internal network, there’s no guarantee that only your employees have access.
As such, you should establish controls that prevent remote workers from accessing sensitive company information. This reduces the damage in the event that an employees’ account is compromised.
Creating strong passwords
Weak passwords are one of the biggest security problems that organisations face. Even though most employees are aware of the importance of strong login credentials, too many of them don’t think beyond obvious phrases such as ‘123456’ and ‘qwerty’.
Your cyber security policy should urge staff to create stronger passwords by outlining rules.
There are several schools of thought on what makes a strong password, the most common of which is that credentials should contain a combination of at least eight upper- and lowercase letters, numbers and special characters.
The problem with this method is that the result can be hard to remember. “Did I replace the ‘o’ with a ‘0’ or the ‘l’ with a ‘1’?”, for example.
One way around this is to make your password a code; a popular technique is to use the first letter from a sentence that uses each of those characters. For instance, “My first son was born in July ’01” becomes “MfswbiJ’01”.
You can also use the length of your password to your advantage; every additional character you add is one that a cyber criminal has to guess.
As such, three random words – with no special characters or numbers – is often more secure than a complex cipher such as the example above.
Your policy doesn’t need to specify one approach over another; some employees will be more comfortable with one approach and others with an alternative. The important thing is that staff break out of the habit of simple passwords that can be cracked instantly.
Cyber security policy template
If you don’t know where to begin when creating a cyber security policy, you should take a look at our ISO 27001 ISMS Documentation Toolkit.
This toolkit provides templates for all the documents you need to comply with ISO 27001, including policies, procedures, work instructions, and records.
Cyber security as a service
Are you looking for extensive help addressing threats? With our Cyber Security as a Service solution, you can protect your organisation quickly and easily in an all-in-one package.
From expert guidance and support on everything from staff training and policy creation, to breach containment and incident reporting, our monthly subscription package has you covered.
A version of this blog was originally published on 3 January 2018.
Read more: itgovernance.co.uk