Why does your organisation need a cyber security policy?

Data protection NIS2(featured)

In our last post we discussed the impact of our working from home (WFH) and hybrid remote working styles on organisational security. The context for this is a rapidly expanding cybersecurity sector and a critical level of cyber-attacks from hackers in response to new technologies and software that seek to prevent them.

In turn there are a plethora of newly emerged risks and vulnerabilities that need to be considered as real-time threats. All organisations must also consider these in the context of GDPR and Data Privacy and Protection laws that are adapting to meet these changes.

It may be that you have some measures in place already, such as firewalls and password protections, but the purpose of a cyber security policy is to address all potential weak points in your cyber security and to ensure that your approach is made available and implemented throughout the organisation. It will also highlight the compliance areas that are required by law. It is important that this information be available for your office staff, hybrid, and remote workers as well as contractors who have access to your cloud infrastructure.

What is cyber security?

Going back to basics is a good place to start with your policy. Knowing the threats and how they can affect you is paramount to developing the right protection. The International Journal of Advanced Research in Computer and Communication Engineering defines cyber security as follows,

‘Cyber Security is a process that's designed to protect networks and devices from external threats. It is important because it protects all categories of data from theft and damage.’

‘It’s being protected by internet-connected systems, including hardware, software, and data, from cyber-attacks. In a computing context, security comprises cyber security and physical security both are used by enterprises to safeguard against unauthorized access to data centres and other computerized systems. The security, which is designed to maintain the confidentiality, integrity, and availability of data, is a subset of cyber security.’

How is it relevant to your organisation?

In relation to your business, it may be helpful to see what parts of your operations overlap with these five key areas of cybersecurity as listed below. This should help you identify any weak points or areas of concern, and from these you can create a robust cyber security policy. The effects of these cyber security concerns could include but by no means be limited to your servers, your emails, your live digital assets such as your website and social accounts, your intranet (organisational internal network) and any devices that are linked to any of these accounts.

 

  • Critical infrastructure security.
  • Application security.
  • Network security.
  • Cloud security.
  • Internet of Things (IoT) security.

Once you have identified your vulnerabilities based on the areas of concern listed above, you will need to assess whether the security infrastructure you have in place is adequate. If it isn’t, now is the time to consider a Demo with Pie Security and you may want to talk to your web team to ensure you have data protection and ‘hardening’ against hacking and identity theft in place. It is all too easy to hijack insecure websites, social accounts, and business listings if you have only one point of security such as a weak password. When you are happy with the security infrastructure you have in place it’s time to create a companywide plan for security and a policy that your employees can follow. Bear in mind this policy may need a varied approach across different teams and employees depending on their level of access. This is called an issue-based security policy.

 

What is a cyber security policy?

A cyber security policy is the set of guidelines and procedures for ensuring you keep your organisations and individuals’ data and identity safe.

The policy should be built around the three principles of security:

  1. Confidentiality - Protect the confidentiality of data
  2. Integrity - Preserve the integrity of data
  3. Availability - Promote the availability of data for authorized use

 

Creating and maintaining a cyber security policy

What will it include?

You should consider covering these points when creating and maintaining your security policies:

  • What communication technologies do you use, and are they protected with encryption?
  • What are the guidelines for information that can be shared inside and outside of the organisation?
  • Do you have email encryption?
  • Do you have restrictions on the use of social media?
  • Is your cloud storage secure?
  • Do you have a strong password requirement?
  • Do you implement two factor authentication (2FA) on your critical infrastructure?
  • Where, when, and how can employees access your systems?
  • Who manages the access to your critical infrastructure? Are there back-up’s and fail safes in place?
  • Do you use a VPN and do all employees use your VPN when logging in on a public network?
  • How are you meeting GDPR requirements?
  • Is your digital identity safe? For example, your website, social accounts, and Google business listing?
  • Will you have some training in place to ensure adoption of your security practices across your organisation?
  • What will you do if data gets lost or stolen?
  • Do you have insurance for data loss?
  • How will employees report data loss?
  • Will you have a subset of issue-based policies for certain situations such as working from home or a set of guidelines for your social/marketing team?
  • Will you have a designated person in charge of maintaining and updating the policy?
  • What will be included in privacy policy – the public facing document that explains how you process, handle and store user’s information.

Is it only for large organisations?

Absolutely not, if you have an internet connected system you are vulnerable in the same way as any large organisation. If you are an ecommerce business or hold appointments and handle personal data online, you could also be breaking the law if you don’t have a data protection policy. You can find out how this affects you by visiting the Information Commissioner’s Office website, or you can talk to PieSecurity to ask for a demo and we can help you navigate these laws and guidelines as applicable to your company. The number of businesses being fined for non-compliance is on the rise and could total up to 4% of your annual turnover, so don’t get caught out.

 

 

If your organisation doesn’t have a cyber security policy in place, you need to start now. Get in touch for a demo of our email and security solutions.

Tools like PieSecurity are designed with GDPR and hybrid remote working in mind. Learn more about our email hygiene and encryption solutions and how they can protect your business.