This article is part of a series exploring the cybercrime threat facing small and mid-size organizations (SMBs), and how such organizations can mitigate their risk of compromise. In Part 2, we explain the need for information security policies and provide tips for their creation.

In Part 1 of our Small Business Cybersecurity blog series, we highlighted the threat landscape which small organizations face, and mentioned a proven method to combat this threat: the “Three Ps” (People, Process, Products). While there are a variety of business processes used to provide cybersecurity, many come in the form of an information security policy. An information security policy can be defined as “a set of policies issued by an organization to ensure that all information technology users within the domain of the organization or its networks comply with rules and guidelines related to the security of the information stored digitally at any point in the network or within the organization’s boundaries of authority.”

Sounds very complicated, doesn’t it? Well, it certainly can be, but it doesn’t have to be. While many will read this and hear “large corporation territory”, it couldn’t be further from the truth. The U.S. Small Business Administration lists establishment of security practices and policies as its #3 cybersecurity tip! So, let’s review why your small business needs an information security policy and how you can create one today.

Part 1 – The Threat Landscape

Why your organization needs an information security policy

Cybersecurity – Plain and simple: official company policies and processes build the safety rails your business needs. You can give someone a car and teach them to drive, but they won’t drive safely without lanes, signs, and laws to follow. As we mentioned in Part 1, cybersecurity isn’t intuitive – strategic thought, documentation, and related training are imperative to data protection.

Control – We also mentioned in Part 1 that data have a dollar value to them. An information security policy emphasizes that the company has ownership of its data assets, and each employee is a steward of those resources (under certain guidelines). The policy (coupled with the right products) keeps organizations in control of their valuable data.

Liability – An information security policy which is governed and enforced company-wide goes a long way in protecting organizations in the event of lawsuit. It’s very easy to think of scenarios like cyber attacks and employee terminations where such measures could impact the liability of your business. “CYA”, as they say.

Productivity – An information security policy could potentially result in added productivity. When employees have a clear view of what they can and can’t do with company data and assets, they can do their job more swiftly, more confidently, and with less trepidation about “getting in trouble”.

Something is better than nothing

The best is the enemy of the good – Voltaire’s famous proverb is quite relevant when creating an information security policy for a small organization. Not knowing how to create the water-tight, comprehensive policy for the handling of data can scare you into apathy and avoidance of the issue entirely. Remember, even having a basic information security policy will reduce risk of compromise (so long as you communicate and enforce it). Start with a basic policy, knowing that it will/should be a living, evolving document. Technology advancements or market changes could make a perfect policy today outmoded in three years anyway.

Don’t re-invent the wheel – Realize that your business is not the first to create an information security policy for your size, industry, or location. There are many publicly available stock-policies which can be used for general inspiration or tailored as your own policy. One great example comes from The SANS Institute, which provides a myriad of policy templates for businesses like yours to use and reference.

Who should be involved in creating?

Don’t outsource policy creation to IT – While it may seem logical and convenient to put this in the lap of your IT department or partner, we advise against this path. Undoubtedly, IT must be involved in the creation of an information security policy, as 1. there are certain policy fundamentals which are considered mainstream for any network, and 2. IT will likely be key in enforcement.

However, executive leadership is ultimately responsible for company information and should take the lead on policy creation. An information security policy should be in-line with the organization’s strategic objectives, core values, and mission – executive management is the only department able to take on such a task.

Top/down flow – On that point, the ideal creation process would involve executive management determining its top priorities and restrictions for information security, then reaching out to department heads, IT resources, and relevant key vendors to add, refine, and complete the policy. This top-down approach develops an initial core, which can be expanded when necessary and achieves whole-company buy-in.

Buy-in from the top is the sure way to success – “Do as I say, not as I do” is a great way to kill the effectiveness of an information security policy. Process is very important to cybersecurity, and employees will take note of management apathy and negligence in their own work-practices. Preach and practice your policy across the board.

Suggested categories to cover in policy

Data/systems access – It is painful to watch organizations deploy a file-share on their network (containing its most precious data) and give every employee “admin-level” access. Imagine treating access to company bank accounts, credit cards, and tax information in this manner. Small businesses need to categorize systems and data according to sensitivity and then provide each employee-type “need-to-know” capability to read, edit, move, or share data.

For example, start by simply categorizing your systems and data into three basic categories: public, private, and sensitive (some orgs. like Harvard University have 5 levels). From there, assign employees access to their needed systems and data with read-only, edit/move, or unconstrained credentials (this must be facilitated via proper tools and settings). Employee access rights can be organized by department or work role and are a key aspect of cybersecurity (limited access = reduced risk).

Daily cyber hygiene – Beyond the basics of who can access what, an information security policy should document daily best practices and restrictions for employees, such as:

  • Acceptable use: How can/can’t employees use company assets e.g., can they take their computers home? Should they shut down or lock their computers before leaving office?
  • Internet, browsing: What sites can employees visit while on company networks or company devices e.g., can they view social media sites or online shopping?
  • Password: What password creation, change, storage, and sharing standards are there for which employees must retain compliance e.g., how many characters must local domain password be?
  • Email: How may company email be used regarding data, communications, accounts e.g., can you send personal correspondence on a limited basis? What data cannot be sent via email?

Creating standards for daily cyber hygiene within the information security policy will give employees clarity on how they should safely perform their role and the ramifications of policy noncompliance.

Reporting procedures – What do your employees do when they spot an attempted cyber attack, policy violation, or a full-on breach? The information security policy should give employees simple directions on what to do, who to tell, and how to document. Some small organizations may want to immediately send all “cybercrime-looking-things” to IT resources, but this is not always the best approach – serious consideration is needed here. Moreover, a well-documented reporting procedure could both prevent and mitigate the damage of breaches.

Remediation – This process is tightly connected to the reporting process and is usually covered via a disaster recovery or security response plan. This is where IT is heavily involved; nevertheless, employees need documented guidance on their role and expectation during these processes. We’ll cover this more thoroughly in Part 5 of the series.

Get started, work smarter and safer

Overall, creating an information security process is the most cumbersome of the “three-legged stool” of cybersecurity. It would seem much easier to buy “set it, forget it” equipment or host a one-time staff training. However, having a well-planned and enforced security policy is arguably the most important step, and greatly contributes to the people and products initiatives.

Taking some time to create your policy will achieve greater cybersecurity, control of assets, reduced liability, and improved staff productivity. Start yours today by getting together with top management (remember buy-in at the top is key) and categorizing your systems and data according to sensitivity and importance.

Should you want advisement in tackling this challenge, please consider reaching out to our consulting team. Progressive Technology helps organizations of various industries implement and enforce information security policies tailored for need and industry regulations. Now that we’ve covered the need for information security policies (and how to create them), we’ll explore the products needed for business-grade cybersecurity next.
In the meantime, please check out our YouTube cybersecurity best practices video on data access.