All the cyber security tools and tactics in the world won’t help you without a written network security strategy.
That’s right.
A network security policy view is the bedrock of your entire network security strategy. The reason is simple. Multiple studies have shown that up to 95% of network security breaches are caused by human error. It’s easier for a hacker to fool a human than it is to try and break through network security measures. That’s because most small businesses have no written network security policies for their employees to practice, even though the average cost for one network security breach is $120,000. If your business has no written policies, now is the time to get one.
Here are 10 policies you must have for it to be effective.
- Print policy
- Separation and Termination
- Security incident response
- Sanctions
- Network security
- Access control
- Computer use
- Computer Disposal
- Personal device or BYOD
- Physical Security
Print policy
It’s easy to assume everyone in your small business knows what to do when it comes to network security. But unless you have a plan that has been printed, all you can do is assume. And that is dangerous. So, put your plan on paper. Distribute it to every employee. Stop and take time to review it right after completion. Train on it regularly to be sure all employees understand and remember it.
Also, be sure a thorough review is part of the onboarding process for new employees. Finally, take time on a weekly, monthly, or quarterly basis to review existing policies, especially ones that have created problems for your company. One of the more common problems we see at EDC is what to do when someone leaves a business. Let’s take a look at that policy now.
Separation and termination policy
When someone leaves or retires from your business, the best policy is to completely remove them from your system. Often businesses keep separated employees in the system because there is a very loose plan for them to come back and freelance or work part-time. But that is a bad plan because you assume 100% of the liability with no potential return.
So, don’t worry about appearing rude. Explain that you can’t afford the risk of giving a former employee access, but you’ll be happy to reinstate it if and if they return.
Once a date for separation has been determined, remove all physical access to network devices. That includes picking up physical business assets like laptops and phones. But it also includes picking up building keys and deleting alarm codes.
If it’s a termination, you should have a plan where the employee’s physical assets are picked up before release. This will help keep them from taking retaliatory measures, such as deleting important files. A good separation policy will help you avoid security incidents like this. But if you do have one, you guessed it, have a policy in place.
Security incident response policy
This is really a subject in itself and is much larger than the scope of this blog post. But in its simplest form, employees should immediately reach out to their employer if they suspect there’s been a security breach. This usually works well for smaller businesses, but it must still be written down. Chances are that an employee will be flustered when this happens. You don’t want them to panic and shut down. Give them a plan and course of action, no matter how simple. They will be grateful, and you will save time and money.
Larger companies will need more advanced policies. Again, there are many variables, but it should include contacting the insurance company handling your liability policy. It should also include contacting the security team to document and mitigate damage. This policy is one of the more dynamic ones and needs to be reviewed regularly as your business grows.
Sanction Policy
By now you know that most network security breaches are caused by employees. So you need a policy in place on how to deal with mistakes and malicious behavior. Like other policies, there are quite a few variables. But you should base your course of action on a few common denominators. So, ask these questions when crafting a sanction policy.
- How do we handle negligent behavior?
- Has the behavior occurred before?
- Was there a policy in place that the employee should have known?
- Does the scope of damage impact the action we take?
And though it may not be fun to consider, be sure to put in rules for termination and ensure they are legal. The more your employees understand this policy, the more diligent they will be. Speaking of diligence, let’s talk about something that is every employee’s responsibility.
Network security policy
This is a policy worth training on regularly. That’s because employees will encounter potentially dangerous scenarios almost daily. It’s easy for them to forget and make a costly mistake. It’s an area that can cause some inconvenience, too. So, it is natural for employees to want to take shortcuts that can have devastating consequences.
A good network security policy does a few things. First, it will tell employees how to deal with things like Personal Identifiable Information or PII. It should also help employees understand when security patches are run and what they need to do to facilitate those.
Whatever you put in this policy, practice it regularly, and be sure your team understands the importance of doing it right.
Access control policy
Like many other policies, this one will change as your business grows. But every policy should address:
- What kind of access you will grant.
- A password policy, including minimum password lengths.
- Rules for access to network systems and servers.
- Who can use company devices, and how they can be used.
This is the perfect opportunity to lay out anything you deem necessary, like not using business laptops on a private network or allowing family members to use business assets for personal use.
There are quite a few variables in this policy. For a good example, check out this one by William & Mary University.
Computer use policy
There may be some overlap between this and other policies, but be sure your employees know what they can and can’t use their phones and laptops for. They should also know not to try and install unauthorized software or apps. Finally, ensure the policy calls for encryption of all laptops and USB devices.
Computer Disposal
In 2005, a Lafayette company donated its used laptops to Goodwill without adequately wiping the information first. A local man bought one of the computers, undeleted the items, and gained access to Social Security numbers and full credit reports for at least 800 people. He offered to sell it back to the company for $3500. Ultimately, this case was resolved, but it cost the company time, money, and reputation. A good computer disposal policy would have stopped the problem before it started.
Anytime you get rid of a piece of technology, it is best to contact your IT provider or team and see if it needs to be wiped. This includes some copiers because they can store images on their drives. A word of caution here. Solid-state drives, or SSDs, are difficult to clean. The best workaround is to ensure all the data is encrypted and then delete the encryption keys. Of course, this works well for company assets, but what if you allow employees to use their own devices for work?
Bring Your Own Device (BYOD) policy
Sometimes it is more convenient and economically viable to allow employees to use their own devices for work. But there are risks to this approach. Psychologically, employees tend to be more alert for phishing attacks and other forms of social engineering when using a company asset. If they allow ransomware onto a personal device, it might corrupt other devices on the network when they use it at work.
Devising this policy will take a lot of time. And it may change quite a bit, at least initially. But every good policy should include the user’s responsibilities, security measures, and a plan on what to do if the employee no longer wishes to use a personal device for work.
Check out this article for an even deeper dive into the subject.
Physical Security policy
Even if you have services like cloud data backup, physical security is always an issue. When creating this policy, think about the most dangerous touch-points in your physical space. For example, are your servers to remain locked? How will you protect PII? What tactics are in place to challenge strangers in your office space?
You should also have policies on what happens to things like laptops and computers when offsite. Be specific about where they must be stored and secured when offsite. The last thing you need is a laptop stolen because an employee was in the practice of leaving it in a vehicle.
Putting it all together
For all the technological safeguards put in place over the last few decades, you still must rely on your team to ensure good cybersecurity. And your team deserves a good, written set of policies.
Once it is created and integrated into workflows and training, a network security strategy will bring your team a new level of confidence and security. And it will drastically reduce your chances of a costly and stressful security breach.
The EDC Way
At EDC, we’re constantly evolving our approach to new challenges. That’s how we prevent problems from happening before they start. Our dedicated team of IT professionals is here to help you.
From strategizing a plan to providing multiple lines of defense against hackers, we will ensure your data and private information is safe behind a vanguard of security measures.
To learn more about EDC visit EDCNOW.com, or to schedule a free consultation on how we can help with your IT needs, call us at: 337.235.7741 in Lafayette or 504.322.3622 in New Orleans