To protect personal data and your business against the upward trend in cyber security breaches, it’s important to review your cyber security policy. Two out of three (66%) of small businesses in the UK last year admitted to falling victim to a cyber security breach. The majority were due to human error on the part of their staff.
According to the Department for Culture, Media & Sports Cyber security breaches survey 2017, 72% of reported cases of cyber security breaches occur after an employee received a fraudulent email.
Under the General Data Protection Regulation (GDPR), you must be able to show you’ve done all you can to guard against threats and have the technology, people and policies in place to avoid and manage data breaches. Ideally, you will document, review and maintain your cyber security policy on a regular basis.
What to consider when writing a cyber security policy
A cyber security policy can range from a one-page employee awareness document to a full-blown document covering everything from keeping an ordered desk to network security. If you’re low on resources, you should at least create a short guide that covers the most important areas. Consider two key areas: employees and infrastructure.
Employees – what to address in your cyber security policy
While you don’t want to start placing counter-productive bans on social media usage and remote network access, you do need to address these areas below amongst others. Your policy should define:
- How social media use is regulated internally
- What is acceptable Internet usage
- How to detect social engineering tactics and other scams such as phishing
- How remote works should securely access your network
- How password management and authentication should be managed
- How to manage and report security incidents and data breaches
- How to manage employees who fail to comply with your policy – for example through repeat training or, in a worst-case scenario, termination of employment.
Infrastructure – what to include in your cyber security policy
This section will be aimed mainly at your IT and administrative staff. They should be clear on how to protect the business and who is responsible for which areas.
- Identify which security programs will be implemented – for example anti-virus, firewall and anti-malware software
- How staff should apply updates and patches to limit damage and plug application vulnerabilities
- How data should be backed up – for example, automated backup to an encrypted cloud server via multi-factor authentication.
In terms of clarifying roles and responsibilities, your policy should identify which users have admin rights and controls, as well as who his responsible for:
- Issuing, maintaining and enforcing your policy
- Training staff on security awareness and the policy itself
- Responding to and resolving security incidents