Every business, big or small, should establish a cybersecurity policy. Employees need to know what is acceptable and what is not when it comes to all things IT. The policy should set expectations, detail rules, and give employees the resources necessary to put the policy to work.
Your employees represent the front lines of your business’s cybersecurity defense. You may have all the antivirus software, malware protection, and firewalls in the world, but if your employees are not educated about IT security or do not understand even the basics, you are putting your business at MAJOR risk.
What can you do to remedy that? You can put a cybersecurity policy in place. If you already have one, it is time to update it. Then, once it is ready, put it into action!
What does a cybersecurity policy look like? The specifics can look different from business to business, but a general policy should have all the fundamentals, such as password policy and equipment usage.
For instance, there should be rules for how employees use company equipment, such as PCs, printers, and other devices connected to your network. They should know what is expected of them when they log into a company-owned device, from rules on what software they can install to what they can access when browsing the web. They should know how to safely access the work network and understand what data should be shared on that network.
Cybersecurity policies should include rules and expectations related to:
- E-mail use
- Social media access
- General web access
- Accessing internal applications remotely
- File sharing
- Passwords
Policies should also break down IT roles within the organization. Who do employees call, text or e-mail if they need IT support? What is the hierarchy they are expected to follow? Do they have internal support? Do they contact your managed services provider (MSP) or IT services partner?
It is important for employees to have resources in order to effectively execute policies. This can come in many forms. It may be a guidebook they can reference or a support phone number they can call. It might be ongoing training on cybersecurity topics. Or it might be all of the above (as it often is!).
Break down every rule further. Passwords are a great example of an area of the policy every business needs to have in place. Password policy often gets overlooked or simply isn’t taken as seriously as it should be. Like many cybersecurity policies, the stronger the password policy is, the more effective it is. Here are a few examples of what a password policy can include:
- Passwords must be changed every 60 to 90 days on all applications.
- Passwords must be different for each application.
- Passwords must be 15 characters or longer when applicable.
- Passwords must use uppercase and lowercase letters, at least one number, and at least one special character, such as @, #, %, or &.
- Passwords must not be recycled.
The good news is that many apps and websites automatically enforce these rules. The bad news is that not ALL apps and websites enforce these rules – meaning it’s up to you to define how employees set their passwords.
Establishing a cybersecurity policy in place isn’t easy, but it’s necessary, especially these days. More people are working remotely than ever. At the same time, cyberthreats are more common than ever. The more you do to protect your business and your employees from these cyber threats, the better off you’ll be when these threats are knocking at your door.
If you need help setting up or updating your cybersecurity policy, do not hesitate to call your MSP or IT services partner. They can help you put together exactly what you need for a safer, more secure workplace.