Cybersecurity Policy Development 101

Each business should have a cybersecurity policy in place to protect your company’s information and reduce your employees’ risk when it comes to their cyber-related activities. But, if you don’t have a cybersecurity policy, where should you start?

Developing a cybersecurity policy is all about combining your knowledge of your company’s specific needs and employees’ roles with cybersecurity best practices to create a unique policy that works for your organization. Ultimately, a cybersecurity policy should set expectations and give employees the resources needed to abide by the policy and protect your organization. So, the basic framework of cybersecurity policy development starts with considering: • What cyber protection does your company need, and what risks do you have? • What expectations does your organization have of your employees concerning those risks? • How can you equip your employees to understand and comply with the cybersecurity policy?

Your cybersecurity policy development will depend on your organization’s business needs, the cybersecurity measures you have in place and the role your employees play, but all good polices have a few things in common.

Here, we’ve outlined the four main elements to consider when developing a policy for your organization.

Your employees are the first line of defense against cyber attacks and hacking, so considering their cyber education is a crucial component of cybersecurity policy development. While you can’t totally eliminate human error, developing a cybersecurity policy and educating your employees can greatly reduce your chances of cyber risks and insider threats.

Considering password guidelines is a vital part of cybersecurity policy development. Some common password guidelines include: • Passwords need to be changed every 60 – 90 days on all applications. • Passwords need to be different on each application. • Passwords need to be 15 characters or longer, must use a combination of upper- and lower-case letters, at least one number and one special character.

While some of your employees may find it challenging to have a different password on each application, you can potentially make it easier by providing them with a password manager or offering multi-factor authentication.

With more people working remotely, it’s difficult to know where your organization’s devices are—much less how secure and accessible they are. If these devices are stolen or misplaced, your organization’s data could be compromised—which is why device security should be a consideration in your cybersecurity policy development. Consider requiring employees using personal devices to frequently lock their devices and avoid public networks if possible. Personal devices need their own set of guidelines to ensure the safety of your organization’s data.

Encourage your employees to activate privacy settings on their personal email and social media accounts to limit the amount of personal information people can access. Platforms such as Facebook, Twitter and Instagram can make your private information easily accessible. Inform employees about the dangers of including private information on these platforms.

Depending on your organization’s IT structure, you may also have other needs that should be addressed in addition to these four main elements, such as information about email use, general web access guidelines, accessing internal applications remotely, file sharing and more. While this is just a general overview of cybersecurity policy development, it’s important to hone a policy that’s specific to your organization’s needs and risks. If you need assistance developing a cybersecurity policy for your organization, Warren Averett is here to help and start the conversation about how you can best protect your organization.

CRCM, CCBCO Warren Averett

36 | www.cbaofga.com | July/August 2022