Every business, big or small, should have a cyber security policy in place for its employees. Employees need to know what’s acceptable and what isn’t when it comes to all things IT. The policy should set expectations, lay out rules and give employees the resources necessary to put the policy to work.
Your employees represent the front lines of your business’s cyber security defense. You may have all the antivirus software, malware protection and firewalls in the world, but if your employees aren’t educated about IT security or don’t understand even the basics, you’re putting your business at MAJOR risk.
What can you do to remedy that? You can put a cyber security policy in place. If you already have one, it’s time to update it. Then, once it’s ready, put it into action!
What does a cyber security policy look like? The specifics can look different from business to business, but a general policy should have all the fundamentals, such as password policy and equipment usage.
For instance, there should be rules for how employees use company equipment, such as PCs, printers and other devices connected to your network. They should know what is expected of them when they log into a company-owned device, from rules on what software they can install to what they can access when browsing the web. They should know how to safely access the work network and understand what data should be shared on that network.
Breaking it down further, many cyber security policies include rules and expectations related to:
- E-mail use
- Social media access
- General web access
- Accessing internal applications remotely
- File sharing
Policies should also break down IT roles within the organization. Who do employees call, text or e-mail if they need IT support? What is the hierarchy they are expected to follow? Do they have internal support? Do they contact your managed services provider (MSP) or IT services partner?
It’s important for employees to have resources in order to effectively execute policies. This can come in many forms. It may be a guidebook they can reference or a support phone number they can call. It might be ongoing training on cyber security topics. Or it might be all of the above (as it often is!).
Break down every rule further. Passwords are a great example of an area of policy every business needs to have in place. Password policy often gets overlooked or simply isn’t taken as seriously as it should be. Like many cyber security policies, the stronger the password policy is, the more effective it is. Here are a few examples of what a password policy can include:
- Passwords must be changed every 60 to 90 days on all applications.
- Passwords must be different for each application.
- Passwords must be 15 characters or longer when applicable.
- Passwords must use uppercase and lowercase letters, at least one number, and at least one special character, such as @, #, % or &.
- Passwords must not be recycled.
The good news is that many apps and websites automatically enforce these rules. The bad news is that not ALL apps and websites enforce these rules – meaning it’s up to you to define how employees set their passwords.
Putting a cyber security policy in place isn’t easy, but it’s necessary, especially these days. More people are working remotely than ever. At the same time, cyberthreats are more common than ever. The more you do to protect your business and your employees from these cyberthreats, the better off you’ll be when these threats are knocking at your door.