IT Security Policy - 5 Simple Steps To (Actually) Securing Your Company
An IT security policy is increasingly important in a world with heightened cyber security threats.
Since we’re literally obsessed with security, we’ve brought in the big guns — Jamie Akhtar of Cyber Smart — to get you on track.
Here are some essential tips that will help you figure out what needs to be included:
1. Figure out what data you actually store
It’s almost impossible to protect your information if you don’t know what you’ve got or where it’s stored.
This is getting increasingly challenging with the number of cloud services we’re now using. Thankfully, there’s an easy way of mapping this, by focusing on these key areas:
* What customer data do we store (and where)?
This is usually your biggest data set — everything from marketing info to service delivery.
* What company data do we store (and where)?
Think email, documents and communications.
*What employee data do we store (and where)?
Contact info, passports, payroll.
Once you have the specifics of these three areas, you’re ready to move onto step 2.
2. Review and lock down access
Most breaches involve people and this is often your weakest link, but not in the way you might think. People are the gatekeepers to information, so attackers often focus on compromising these individuals.
Looking over the three answers from step 1, think about how you can better secure access to each of these data stores.
* What can we do to add more security to customer data?
Ensure two-factor authentication is enabled where possible, review service providers and make sure only people that need access to customer data have it.
* Does everyone need to have access to all company data or could we segment on a need to know basis?
This could mean having one folder for directors, one folder for all staff and another folder for public assets.
* How can we protect our employee data while still being accessible?
This is often highly sensitive and the recent string of employee data breaches highlight the need for better protection of this data.
Hint: use CharlieHR!
3. Protect your digital devices
If you work in an SME, it’s highly likely that most of the laptops and phones your employees are using are not fully secured and could be compromised in some way.
Here are the most essential measures for your IT security policy:
* Install anti-malware on all devices
Yes all devices, including Mac and Android. There’s ransomware for Mac and Android, where infections are now as common as for Windows.
* Keep your software up-to-date.
This is crucial to staying protected: ensure auto-updates are enabled wherever possible and avoid the temptation to postpone updates. The number of security patches released weekly is staggering — don’t give the hackers an easy way in. Bonus: many updates also reduce crashes and make your devices quicker!
* Enable Find My Mac / iPhone / Android Device Manager.
This gives you a (slim) chance to locate your device, and (more importantly) the ability to remotely wipe any sensitive data that may be left.
4. Secure your network
The network is no longer considered the safe fortress it once was, so it’s extra important to limit internal exposure and prevent any malware spreading.
Secure it with these key controls:
* Segment your network from the other users in your building and use virtual networks for further isolation between departments.
Top tool: Cisco Meraki is outstanding free network equipment for attending webinars!
* Lock down you network.
Change the default passwords and setup firewall rules based on what services you actually use.
* Use a VPN when outside the office.
This will prevent traffic interception and prevent being sent to malicious websites.
Top tool: Cloak for Mac/iPhone, TunnelBear for Windows/Android.
5. Train your staff to increase resilience
Central to any IT security policy is staff training.
With the massive increase in phishing attacks (the new age spam designed to trick you into clicking links or divulging information) along with exponential in growth ransomware, your staff are an important line of defence and the key to protecting sensitive information.
Here are three top tips to prepare them to defend against the bad guys:
* Regularly remind everyone to not click links or respond to suspicious emails.
This is still one of the most common ways that breaches start.
* Use a password manager.
Websites we all use are regularly compromised and our password is exposed. A password manager helps you by storing a unique password for each website you visit, making re-use a thing of the past and passwords harder to crack. No more remembering passwords!
Top tool: 1Password for teams.
* Stay alert and report suspicious activity
Staff are usually the first ones to notice when something isn’t right. Ask them to report any discrepancies and make sure these are followed up upon. With inevitable attacks, detecting an issue early is as important as preventing it in the first place.
* Ensure the team aware of the IT security policies
Have a IT security policy and make sure the team are aware where it lives. As we've seen it's vital that the team are aware of potential threats. This can only be achieved if they're up to speed of the policies in place!