One of your employees checks his email on his personal computer at home that doesn’t have any antivirus software. A manager at your company uses the same password for all of her company and personal online accounts. A vendor is allowed access to your network at the same time that he’s connected to another network. These are all examples of behaviors that can compromise the security of your data and systems, and they all can be avoided by having appropriate policies in place.
Policies to control behaviors like those described are essential components of your cybersecurity plan. You may even have some of these policies already. Just have a look in your employee handbook. Having the policies is one thing. Training employees on how to follow them, and then enforcing them is another.
Depending on your industry and your business, you may have several different categories of policies that control access to data. The following three categories are must-haves for any business that wants to protect their data and access to their IT systems and lower their risk of becoming a victim of cybercrime.
Password Management Policies
Password management is by far one of the easiest methods to use to lock down your data. Unfortunately, many people find good password behavior an annoyance that slows them down and they fail to follow guidelines, even if you have them detailed in your employee handbook. Additionally, people create passwords for their own convenience, so they can remember them easily, and that usually makes them easier for hackers to crack.
If passwords are going to be an effective part of your cybersecurity plan, your policies need to provide guidelines for how employees will create passwords and how they will protect them. The following is a partial list of example password policies that you should include in your plan:
- Users should have unique passwords for different accounts.
- Users should change their passwords every six months (at least).
- Users should not put password information in email messages.
- Users should create passwords following established guidelines such as:
- Minimum of 8 characters.
- Should not include common usage words.
- Are not based on personal or company information.
- Passwords are considered confidential information and should not be shared.
- Do not write passwords down and store them in your office.
- Vendor access to the network will be controlled using one-time passwords.
- And so on…
Train employees to follow established password standards so that they know what to do, then enforce their use. You can set up your system to force password changes on a consistent basis, and to reject the use of passwords that don’t meet guidelines.
One of the best things you can do is to make security a part of your culture with ongoing communication to employees about the value of data, their responsibility to keep it safe, and provide reminders about appropriate behavior.
Your company email is a wonderful tool that your employees use to communicate, but you need policies in place to set expectations on how this asset can and cannot be used. It makes sense that you’d want to know that the tools you provide employees are being used for work (or mostly for work) but you also want your people to avoid actions that will compromise the safety of your IT systems.
Email policies are an effective part of your cybersecurity plan when they instruct employees on how to handle messages that contain sensitive data. Policies also need to spell out limits for personal use of email so that employees aren’t increasing company exposure to spammy messages that can contain malicious links or attachments.
Here are some examples of email policies that you should be using:
- All use of email must be consistent with company policies and procedures for ethical conduct and compliance with applicable laws.
- Company email should be used primarily for business-related purposes.
- Company email may not be used for non-company commercial uses.
- Email should be retained only if it qualifies as a business record.
- Company email should not be forwarded to a third-party email system or storage server.
- There is no expectation of privacy regarding company email.
- Company may remote wipe any device containing company email.
- And so on…
Enforcement of policies can include different methods such as system monitoring, reports, internal and external audits and periodic walk-throughs.
Training new employees in email policies is essential, but so is ongoing communications to current staff to remind them of expectations and build up their sense of responsibility as it pertains to the protection of company information and IT systems.
Remote Access Policies
Every time somebody external to your organization or to your office environment accesses your network, they’re creating a potential door for cyber criminals to enter. This is just as true for your own employees using their mobile devices as it is for your vendors who need to work on your IT systems. Having remote access policies adds a level of control that increases your defense against unwanted intruders.
Some of your remote access policies might overlap with other policies such as email and acceptable encryption. These examples will give you an idea of the variety of scenarios that you need to cover:
- Remote access connections should be given the same consideration as on-site connections.
- Access to the internet through the company network by family members is allowed only under certain circumstances.
- Vendors can access IT systems via a one-time password or public/private keys with strong pass-phrases.
- Employees and contractors must ensure that their device that is remotely connected to the company network isn’t connected to another network at the same time.
- Employees with remote access privileges should not use non-company email or other external resources for business.
- Remote employee’s home equipment must meet specified standards for security.
- Login credentials should not be shared.
- And so on…
Give your employees the tools they need to follow your remote access policies. If you say that only company phones can access the email server, then provide phones to those who need to do this. Likewise, if remote workers need to have VPN to login to your system, you’ll have to set up the technology for them to do so.
Everyone in your company might not need training regarding remote access, but training is the first step to teach everyone what is expected. A big part of enforcement will be giving employees the tools they need to follow policies, and to instill in people their responsibility to keep data and systems safe.
Are Your Policies Keeping the Doors to Cyber Criminals Shut?
At XPERTECHS, we work with companies to help them manage the risks of cybercrime, we help them to assess and improve all layers of their cyber defenses, including providing recommendations for policy creation and enforcement.
If you’re not confident in how your IT team is handling cybersecurity, contact us to schedule a security assessment.