Cyber security is the application of technologies, processes, and controls to protect systems, networks, programs, devices and data from cyber attacks.
It aims to reduce the risk of cyber attacks and protect against the unauthorised exploitation of systems, networks, and technologies.
A good Cyber security policy outlines -
technology and information assets that you need to protect
threats to those assets
rules and controls for protecting them and your business
It’s important to create a cyber security policy for your business – particularly if you have employees. It helps your employees to understand their role in protecting the technology and information assets of your business. When you prepare your policy, ensure it guides your employees on:
the type of business information that can be shared and where
acceptable use of devices and online materials
handling and storage of sensitive material
When developing your cyber security policy consider the following steps
1. Set password requirements-
Your cyber security policy should explain:
requirements to create strong passphrases
how to store passphrases correctly
how often you need to update passphrases
the importance of having unique passphrases for different logins
2. Outline email security measures-
Include guidelines on:
when it’s appropriate to share your work email address
only opening email attachments from trusted contacts and businesses
blocking junk, spam and scam emails
identifying, deleting and reporting suspicious looking emails
3. Explain how to handle sensitive data-
When it comes to handling sensitive data, outline:
when staff may share sensitive data with others
ways they should store physical files with sensitive data, such as in a locked room or drawer
ways to properly identify sensitive data
ways to destroy any sensitive data when it is no longer needed
4. Rules around technology should include:
where employees can access their devices such as a business laptop away from the workplace
how to store devices when they aren’t in use
how to report a theft or loss of a work device
how system updates such as IT patches and spam filter updates will be rolled out to employee devices
when to physically shut down computers and mobile devices if not in use
the need to lock screens when computers and devices are left unattended
how to protect data stored on devices like USB sticks
restrictions on use of removable devices to prevent malware being installed
the need to scan all removable devices for viruses before they may be connected to your business systems
5. Set standards for social media and internet access
The standards for social media and internet access may include:
what is appropriate business information to share on social media channels
what is appropriate for staff to sign when using their work email account
guidelines around which websites and social media channels are appropriate to access during work hours
6. Prepare for an incident
If a cyber security incident occurs, you should minimise the impact and get back to business as soon as possible. You’ll need to consider:
how to respond to a cyber incident
what actions to take
staff roles and responsibilities for dealing with a cyber attack
Prepare a cyber security incident response plan
An incident response plan helps you prepare for and respond to a cyber incident. It outlines the steps you and your staff need to follow. Consider the following stages when preparing a plan.
Prepare and prevent
Prepare your business and employees to be ready to handle cyber incidents.
Develop policies and procedures to help employees understand how to prevent an attack and to identify potential incidents.
Identify the assets that are important to your business – financial, information and technology assets.
Consider the risks to these and the steps you need to take to reduce the effects of an incident.
Create roles and responsibilities so everyone knows who to report to if an incident occurs, and what to do next.
Check and detect
Check and identify any unusual activities that may damage your business information and systems. Unusual activity may include:
accounts and your network not accessible
passwords no longer working
data is missing or altered
your hard drive runs out of space
your computer keeps crashing
your customers receive spam from your business account
you receive numerous pop-up ads
Identify and assess
Find the initial cause of the incident and assess the impact so you can contain it quickly.
Determine the impact the incident has had on your business.
Determine its effects on your business and assets if not immediately contained.
Respond
Limit further damage of the cyber incident by isolating the affected systems. If necessary, disconnect from the network and turn off your computer to stop the threat from spreading.
Remove the threat.
Recover from the incident by repairing and restoring your systems to business as usual.
Review
Identify if any systems and processes need improving and make those changes.
Evaluate the incident before and after, and any lessons learnt.
Update your cyber security incident response plan based on the lessons learnt so you can improve your business response.
7. Keep your policy up-to-date
You should develop, review and maintain your cyber security policy on a regular basis.
Updating and auditing cybersecurity procedures
Technology is continuously changing. Update cybersecurity procedures regularly—ideally once a year. Establish an annual review and update process and involve key stakeholders.
When reviewing an information security policy, compare the policy's guidelines with the actual practices of the organization. A policy audit or review can pinpoint rules that no longer address current work processes. An audit can also help identify where better enforcement of the cybersecurity policy is needed.
Excel Cloud Solutions suggests the following three policy audit goals:
Compare the organization's cybersecurity policy to actual practices
Determine the organization's exposure to internal threats
Evaluate the risk of external security threats
An updated cybersecurity policy is a key security resource for all organizations. Without one, end users can make mistakes and cause data breaches. A careless approach can cost an organization substantially in fines, legal fees, settlements, loss of public trust, and brand degradation. Creating and maintaining a policy can help prevent these adverse outcomes.
Comments