How to develop a robust cybersecurity policy

The number of data breaches over the past few years shows just how many organizations are struggling to address the rapid rise in cyber crime. According to Gemalto’s Breach Level Index, there were 918 data breaches during the first half of 2017, with 801 occurring in the US.

Investing in new technologies and finding qualified staff will certainly help prevent breaches, but both of these measures hinge on the effectiveness of an organization’s cybersecurity policy.

Policies dictate how an organization approaches security – from the infrastructural measures it puts in place to its employees’ data protection responsibilities.

Cybersecurity infrastructure

An organization’s systems and infrastructure “tell IT and other administrative staff how [to] protect the company’s data (which controls will be used) and who will be responsible for protecting it,” writes software company Malwarebytes. It adds that all cybersecurity policies should include information on:

  • Which security programs will be implemented. For example, in a layered security environment, endpoints should be protected with antivirus software and firewalls
  • How updates and patches will be applied to limit the attack surface and plug application vulnerabilities. For example, organizations should update browser, operating system, and other Internet-facing applications at regular intervals
  • How data will be backed up. For example, organizations might choose to automatically back up their data to an encrypted Cloud server with multi-factor authentication

Cybersecurity policies should also identify who issued the policy, who is responsible for maintaining and enforcing it, who will respond to and resolve security incidents, and which users have admin rights.

Employees and your cybersecurity policy

No matter how prepared an organization thinks it is, its employees will always be a wildcard. People’s susceptibility to phishing scams, their propensity to expose data, their inability to create safe passwords, and other similar weaknesses mean that organizations must help employees follow best practice as much as possible.

“Your cybersecurity policy should clearly communicate best practices for users in order to limit the potential for attacks and ameliorate damage,” advises Malwarebytes.

“They should also allow employees the appropriate degree of freedom they need to be productive. Banning all Internet and social media usage, for example, would certainly help keep your company safe from online attacks but would (obviously) be counterproductive.”

Malwarebytes recommends that organizations have policies addressing:

  • How to spot social engineering threats, such as phishing
  • Acceptable Internet use
  • How remote workers should access the network
  • Requirements for secure passwords
  • How to report security incidents

Organizations should also address what happens when an employee doesn’t follow protocol. If the employee deliberately flouted the rules, the organization should discipline or fire them, but it’s important not to punish someone for inadvertently failing to comply. As cybersecurity expert William H. Saito writes:

“Making a user who has been compromised feel like the ‘bad guy’ will only exacerbate an already bad situation. It can lead to an environment in which people try to fix issues themselves or, worse, simply hide or ignore them and, most importantly, fail to communicate the incident quickly.”

If an employee is unaware of their cybersecurity requirements, it indicates that the organization hasn’t done a good enough job training its staff. Organizations should therefore conduct a training program or review the effectiveness of their existing program.

Get help creating your cybersecurity policy

If you don’t know where to begin when creating a cybersecurity policy, you should take a look at our ISO 27001 Cybersecurity Documentation Toolkit.

This toolkit provides templates for all the documents you need to comply with ISO 27001, including policies, procedures, work instructions, and records.

The templates are also aligned with NIST SP 800-52 and the New York Department of Financial Services Cybersecurity Requirements.