Developing a robust cyber security policy

The number of data breaches recently shows just how many organisations are struggling to address cyber crime. As digital infrastructures in the Gulf region grow, organisations have consistently struggled to address the rising threat.

This is a problem that’s occurring across the globe. According to Gemalto’s Breach Level Index, there were 918 data breaches during the first half of 2017 (the most up-to-date figures available), accounting for 1.9 billion breached records.

Investing in new technologies and finding qualified staff will certainly help prevent breaches, but both of these measures hinge on the effectiveness of an organisation’s cyber security policy.

Policies dictate how an organisation approaches security – from the infrastructural measures it puts in place to its employees’ data protection responsibilities.

Cyber security infrastructure

An organisation’s systems and infrastructure “tell IT and other administrative staff how [to] protect the company’s data (which controls will be used) and who will be responsible for protecting it,” writes software company Malwarebytes. It adds that all cyber security policies should include information on:

  • Which security programs will be implemented. For example, in a layered security environment, endpoints should be protected with antivirus software and firewalls
  • How updates and patches will be applied to limit the attack surface and plug application vulnerabilities. For example, organisations should update browser, operating system and other Internet-facing applications at regular intervals
  • How data will be backed up. For example, organisations might choose to automatically back up their data to an encrypted Cloud server with multi-factor authentication
  • Cyber security policies should also identify who issued the policy, who is responsible for maintaining and enforcing it, who will respond to and resolve security incidents and which users have admin rights.

All of these methods rely on the interaction of an organisation’s employees and its technologies or infrastructures. Reinforcing the security measures of any one of these points with another mitigates the security risk and reduces the burden on any one area.

As Arun Khekar, senior vice president of applications at Oracle Eastern Central Europe, Middle East and Africa, told Gulf News, today’s borderless enterprises – a result of Cloud, mobile and edge technologies like the Internet of Things – mean there is no such thing as “total security”, and as a result, businesses can’t rely on the IT team to keep them secure.

But it can be just as dangerous to leave employees to their own devices – literally and figuratively.

Employees and your cyber security policy

No matter how prepared an organisation thinks it is, its employees are always a wildcard. People’s susceptibility to phishing scams, their propensity to expose data, their inability to create safe passwords and other similar weaknesses mean that organisations must help employees follow best practice as much as possible.

“Your cybersecurity policy should clearly communicate best practices for users in order to limit the potential for attacks and ameliorate damage,” advises Malwarebytes.

“They should also allow employees the appropriate degree of freedom they need to be productive. Banning all Internet and social media usage, for example, would certainly help keep your company safe from online attacks but would (obviously) be counterproductive.”

Malwarebytes recommends that organisations have policies addressing:

  • How to spot social engineering threats, such as phishing
  • Acceptable Internet use
  • How remote workers should access the network
  • Requirements for secure passwords
  • How to report security incidents

Organisations should also address what happens when an employee doesn’t follow protocol. If the employee deliberately flouts the rules, the organisation should discipline or fire them, but it’s important not to punish someone for inadvertently failing to comply. As cyber security expert William H. Saito writes:

“Making a user who has been compromised feel like the ‘bad guy’ will only exacerbate an already bad situation. It can lead to an environment in which people try to fix issues themselves or, worse, simply hide or ignore them and, most importantly, fail to communicate the incident quickly.”

If an employee is unaware of their cyber security obligations, it indicates that the organisation hasn’t done a good enough job training its staff. Organisations should therefore conduct a training programme or review the effectiveness of their existing programme.

Get help creating your cyber security policy

If you don’t know where to begin when creating a cyber security policy, you should take a look at our ISO 27001 ISMS Documentation Toolkit.

This toolkit provides a template for all the documents you need to comply with ISO 27001, including policies, procedures, work instructions and records.

ISO 27001 is the international standard that describes best practice for an information security management system (ISMS). It specifies that organisations must address security issues at the employee level.

Take a free trial of out ISO 27001 ISMS Documentation Toolkit >>

One Response

  1. Anonymous 24th January 2018