Three Effective Tips for Achieving a Sound Cybersecurity Policy

cybersecurity policy ncsam

In an effort to ensure that every user is safer and more secure online, government and industry have come together to promote cybersecurity awareness each year during the month of October to celebrate National Cyber Security Awareness Month.

The National Cyber Security Alliance decides on weekly themes throughout the month and this week’s “Cybersecurity in the Workplace Is Everyone’s Business” is an important one.

When it comes to cyber attacks, no business—small or big—can avoid them. Furthermore, there are many facets to a cyber attack that many often glaze over; for example many organizations do not have firewalls in place and administrators may neglect to change default passwords. Then there is also the role that individuals employees can play in the overall cybersecurity of a company.

It’s been cited countlessly that the majority of cyber breaches are the result of human error. As a result, many organizations advocate creating a culture of cybersecurity “from the breakroom to the big boardroom,” and they are not in the wrong.

In a company, cybersecurity is a shared responsibility among all employees and does not just fall into the hands of the CTO or CISO. In this blog post, we will address three tips that could make a difference in your organization. How does your company stack up? Are you implementing the following?

Delivering the Facts

Delivering the facts is a first step that many might overlook because of its obvious simplicity, but it’s actually one of the most important steps. Raising cybersecurity awareness in the workplace is more than just blasting emails to employees or handing out generic pamphlets. When it comes to something as complex as cybersecurity, it doesn’t hurt to be specific. For example, the use of the email in the workplace is unavoidable since it is the medium in which almost all company communication typically takes place. However, when one of the most prevalent ways in which a cyber attack reaches a company is through the clicking of a malicious link within a phishing email, it’s necessary for each and every employee to be aware of the warning signs and how they are targeted. One type of phishing known as whaling specifically targets high-profile people like C-level corporate executives. It would be erroneous for C-level executives to assume that phishing only targets regular employees. Therefore, it’s important to keep all employees informed about the kinds of cyber attacks prevalent to their position or their roles and responsibilities. For example, is your social media handler practicing basic security practices like 2FA (two-factor authentication)? Is the HR department taking extra precaution when handling sensitive company employee information such as by encrypting employee records? These are the kinds of questions you should be asking in order to properly educate your employees and work towards creating a culture of cybersecurity in the workplace.

Evaluating Your Company’s Cybersecurity Standing

No two companies are alike, so like with most policies there is no one-size-fits-all model when it comes to cybersecurity. For instance, one company might find that BYOD is useful in speeding up business operations and making employees more productive. In their case, it makes sense that a BYOD policy should be implemented to prevent outside intrusion. Such policies would involve setting up security controls in employees’ laptops or mobile devices in order to prevent sensitive company data from being leaked. However, be sure to avoid common BYOD pitfalls when drafting out company policies.Then, there are the other vectors in which cyber criminals infiltrate a company and acquire unauthorized access to a company’s key assets (e.g. data) in which employees have no control over the consequences. Consider your company’s infrastructure and computer systems. In this case, the IT administrator is responsible in ensuring that the company is keeping up with the best security practices such as routinely updating security patches and not using default usernames and passwords for specific applications that require admin rights. Finally, if you are a small business or a new startup, you might think a cybersecurity policy is not necessary. But regardless of company size, the fact of the matter is that cyber attackers don’t discriminate, and it only requires one attack to break a company. According to Small Business Trends, 60% of small businesses go out of business within six months of an attack. It’s important for smaller businesses to prioritize security from the start and to do it properly to avoid falling apart. Only 40% of Fortune 500 companies have some kind of insurance against cyber attacks, but these insurance policies typically do not cover the full scope of the company’s potential cyber exposure. Cybersecurity policies vary by company, so it takes some initial evaluation to understand how the absence of such policies can affect a business.

Implementing a Cybersecurity Policy or Framework

Having a difficult time setting up a cybersecurity policy for your company? Luckily, the National Institute of Standards and Technology Cybersecurity Framework is a great resource for companies looking for guidance when beginning to implement a cybersecurity policy. While originally developed through the collaboration of industry and government agencies to help businesses and organizations manage cybersecurity risks in the nation’s critical infrastructure such as bridges and electric power grids, this particular framework has been widely adopted by various types of organizations around the world. The framework is broken down through the following mechanisms and can help your organization in creating a cybersecurity policy or in reviewing your current one:

  • Describe your current cybersecurity posture
  • Describe the target state of specific cybersecurity activities
  • Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process
  • Assess progress toward the target state
  • Communicate among internal and external stakeholders about cybersecurity risk

Every organization, regardless of size, needs a plan for raising cybersecurity awareness that emphasizes resistance and resilience in the face of cyber attacks. The road to achieving a sound cybersecurity policy may be less steep than you think. No organization anticipates a cyber attack, but having a cybersecurity policy can help you stay ahead of cyber criminals before they can reach you. In honor of National Cyber Security Awareness Month, we recommend checking out the various resources provided by the National Cyber Security Alliance. Follow us Twitter at @cloudbric for more cybersecurity news and tips and help us spread the #CyberAware message!