How to Create a Cybersecurity Policy

By Ron Samson Jr

Why create a cyber security policy?

Often, companies don’t see the need for a cybersecurity policy. There are policies in place to protect the company’s assets and data is an asset.

The real need for a cybersecurity policy is simple: cybersecurity is not as simple as locking the door or not stealing the company pens. In many cases, cybersecurity concerns don’t come from malice but from ignorance. Opening the wrong email, not protecting a personal device, or attaching a portable storage device that is infected is a more likely way to have your systems compromised than a brute force attack from a cybercriminal.

Steps to creating a cyber security policy

A cyber security policy should be thought out and planned. It requires buying and commitment from everyone from the top down.

Here is a step-by-step guide to getting a great cybersecurity policy created and implemented well:

  • Get upper-management buy-in

The key to starting a cybersecurity policy and program is to to get upper-management buy-in. If the C-level staff and high-level managers are not committed to this idea, it will go nowhere. They are driving the ship.

Upper management will set the tone for how this policy is implemented. It’s also important to note and ensure that the boardroom folks understand, many phishing scams are directed at them or use the names of the C-level executives to steal from the company.

  • Choose a set of guidelines

Obviously, to create a policy, you will need guidelines. Those guidelines will need answer the overall threats of the cyber world, such as phishing, as well as the specific needs of your industry, such as Personal Health Information or securities data. Included in this for almost every company is employees’ personal information and proprietary data.

      1. What industry regulations do you have to follow? Many industries have laws and regulations that govern the data that they can reatian and how it’s to be handled. The two examples above, the healthcare industry and the securities industry, have very clear and strict rules to abide by. Other industries with guidelines include any company that accepts credit cards, anyone that takes credit information, and any business that accepts personal data, such as property managers. Starting with these laws, regulations, or guidelines will save you from having to reinvent the wheel. In the case of HIPAA (the healthcare industry), for example, the law is detailed enough to be a nearly complete set of guidelines.
      2. What specific types of data do you need to protect? Knowing how to secure something starts with knowing what data you have to protect. Again, the healthcare industry is a clear example, but every company that has employees needs to secure that data as well. In making your company policies, don’t forget that things like rejected credit applications and job applications are also data that needs to be secured.
      3. What programs and hardware must be secured? Understanding what software, and the accompanying hardware, that needs to be secured can be an arduous process. The obvious programs are the timekeeping software and the email system, but don’t forget about the connected manufacturing machines and even employees’ private cell phones.  Very, very few computers in an office are completely disconnected from the internet or an internal network. Even if you’ve never turned on the wifi card on a computer, there’s a huge chance, that it is was built in the last ten or fifteen years, there is one. It can be activated without your knowledge. The safest thing is to assume that every program and every piece of equipment can be connected to a network and is therefore vulnerable to attack.
      4. What password rules and internet usage guidelines are looking for? The level of password protection that you use is often everything that you need to protect against intruders. If you have no guidelines, one in every ten people will use “password.” If you think that there has been a change, take a look at this list of the most popular passwords of 2017 (https://gizmodo.com/the-25-most-popular-passwords-of-2017-you-sweet-misgu-1821425092). Your password policy should require a minimum number of characters as well as non-alphanumeric characters. There is a caution here. If you make the passwords too complex or make people change them too often, they are far more likely to write them down and that defeats the purpose of a great password policy.
      5. Who will oversee and maintain the cybersecurity policy? This is usually a bit of a debate. The question of who should oversee the policy will come down to two factors: 1) who can carry the information to the employees the most effectively and 2) who understands the threat most clearly. The obvious choice is the head of the IT department, but often these are people who aren’t great communicators. Sometimes the most effective thing to do is have two people – one from IT and one from HR. Together they can create policy that makes sense and that they can then educate the employees about well.
      6. What will the disciplinary actions to take? As with anything else in a business or life, if there are no consequences, there will be no follow-through. Often, the only time that there is discipline is when something really big and painful happens. Instead of waiting for that, look at the smaller steps that lead to bigger problems. Disciplining for not changing a password or using an unauthorized data storage device can avoid those bigger events by keeping things security and show everyone that you’re not messing around.
  • Educating the staff

Of course, no policy is useful if no one knows about. More than that, it’s important to educate staff about why you need to have this policy. Here’s a simple thing to include: A cybersecurity attack at a small to medium-sized company can cost over $100,000 to fix and over 60% of those business will close within 6 months. That means jobs lost.

Almost half of all data loss is caused by the actions of someone inside the company. Educating your staff is the single most important thing you can after getting quality antivirus protection.

      1. Initial education – Everyone in the company will need to be trained about the new policy. It’s important that the top person on site, whether it’s the CEO or the plant manager, be seen at the training. The staff needs to understand that this is important enough to stop the top managers’ days just to learn what to do.
      2. Monthly reminders – Sending out an email every month about cybersecurity and what staff can and should do is great way to keep it on their minds. A combination horror stories, company policies, and humor is a great way to get people to read the messages. You should also look at who doesn’t open the emails. They are likely to be the people who don’t change their passwords and don’t take the policy seriously.
      3. Repeated revisits of rules – Quarterly meetings or including instructions to mention it during pre-shift meetings will go a long way to keeping everyone on their toes and understanding that they need to be vigilant.
  • Monitor and update the policy

No policy should ever be static. Be sure to revisit your cybersecurity policy every year or every six months to guarantee that it’s up-to-date with the latest technologies and threats. For example, the recent rise in ransomware should be changing how companies handle a red screen demanding money. This would represent a change in policy and protocol that needs to be taught to the team.

    1. Watch for evolving threats – Cyber criminals are constantly looking for new ways to steal things. Keep track of the evolution of these crimes to know how to change your policies to protect yourself.
    2. Update to accommodate software changes – Software terms and conditions change frequently. Sometimes, a company will decide to loosen their security procedures. That doesn’t man that your company can or should. Keeping track of changes that might create problems can help avoid weaknesses created by third-party software.
    3. Learn from your mistakes and others – Your company will experience data loss. It’s a given. Often, it’s harmless in that you know where it went and that it’s destroyed, but it will happen. Be sure that your policies reflect what you and your company have learned.

Making it easier on yourself

One of the easiest ways to get a policy like this created and have your staff educated is to hire a cybersecurity firm to handle it. They have the basic policy in hand  and they can help to locate all of your assets. When questions come up, like “what do I need to to protect my phone?” they will have the answer.

This is a large job and outsourcing might be the best way to get it done well.