Dan is a 20 year veteran of the ICT industry working for global and local vendors in bringing new and innovative technologies to market in the ANZ region. During his career, Dan has been passionate about bringing a local voice and insights to global technology challenges. As the Editor of GetCyberResilient.com Dan casts a keen eye across the hot topics, trends and pulse of local security practitioners to curate stories from near and far that are most impactful in addressing our evolving risks.
Making a resilient cybersecurity policy for an uncertain world
Cybersecurity is a business-critical issue.
It affects everyone in a company’s ecosystem, from senior leadership down to the interns, and any slip-ups at any point in a company can quickly become a massive (and expensive) security crisis.
That’s why having a company-wide cybersecurity policy that explains each person's responsibilities for protecting IT systems and data is so important. Your cybersecurity policy can be the only thing standing between you and the massive reputational, legal and financial fallout of a data breach.
Highly regulated sectors like government, healthcare, finance, or insurance have very strict data policies to abide by, and companies in those sectors can face heavy penalties if they are found at fault in a cyber incident. But what about smaller organisations, or companies in other sectors?
If you manage a small company in an unregulated sector, you may think you don’t need an ‘official’ cyber policy. You’re just using a few computers and a few smartphones, right? But if you think about it, your company probably already handles confidential customer and employee data. If there is a data breach, how can you demonstrate you followed security procedures when you don’t have them in writing? Claiming insurance, or even proving your company was not legally at fault, can be a nightmare if you don’t have a cyber policy to prove there was no negligence on your part. As a smaller company, you also have a lot more to lose in terms of reputation and customer trust.
Customers, partners, shareholders, and prospective employees all want evidence that any organisation they are involved with can protect sensitive data. Having a policy that is not just documented, but actively practiced, builds a lot of credibility for those who interact with your company.
The anatomy of a cybersecurity policy
Typically, the first part of a cybersecurity policy describes the general security expectations, roles, and responsibilities in the organisation. Your stakeholders could include external consultants, freelancers, IT staff, financial staff, etc. This is the “people” section of the policy, and covers "roles and responsibilities" or "information responsibility and accountability".
Next, your policy will need to cover IT usage (hardware) and the day-to-day digital tasks (software) in your company. You’ll need policies for devices, laptops, computers, antivirus software, cloud applications, remote access, WiFi, password protection, email, and digital signatures.
A good way to start is to prioritise the areas of primary importance to your organisation. The ‘mission-critical’ areas of your operations, so to speak. That might mean setting security standards for your most sensitive data, or procedures to follow in case of a breach. This is where a risk analysis can be handy in highlighting the areas your policy should focus on.
Your policy should also define the roles and responsibilities of your staff in maintaining cybersecurity. Human error is the single biggest cause of data breaches, so make sure your people understand what’s at stake. That means everyone needs to understand the policy and follow it. You’ll also need to make sure they are trained and equipped to put those rules into practice.
Who should write your cybersecurity policy
Since the policy covers the entire organisation, you’ll need voices from every department to make it usable. Usually, the Head of IT, CIO or CISO is primarily responsible for all information security policies. For some companies, it may make more sense to enlist the help of an external IT provider or consultant to help craft a practical cybersecurity policy. But whether doing it in-house or outsourcing, your policy team will need to involve and collaborate with other stakeholders to get it right.
- The C-suite. They can help define the key business needs for security, provide support and lead by example. After all, there’s no point in creating a policy that won’t be put into practice.
- The IT Team: The IT boys and girls are the ones managing the security and have the biggest stake in cyber operations, so naturally they’ll be leading the policy development process.
- The legal department. They’ll be able to ensure that the policy meets legal requirements and complies with government regulations.
- The HR department. Since awareness training and enforcing the rules fall under their remit, their input can help craft a policy that all employees can follow.
- Department heads. They’re the ones who’ll be able to best judge the effects a policy will have on their function, so taking their input on board is essential.
- Procurement. They’re the ones vetting external vendors, suppliers and partners, so they can make sure any external parties are fully compliant with your company’ cyber policy.
- Board members. Reviewing and approving policies are part of their responsibilities. Their degree of involvement can vary, but it’s likely you’ll need their sign off to make the policy official.
Keeping it up-to-date
Technology and cybersecurity practices change quickly, so make sure to schedule an annual review and update process with key stakeholders. This review is a good time to compare the policy's guidelines with the actual practices in the organisation, and find out what’s working and what isn’t.
Your audit should have three key goals:
- Compare your cybersecurity policy to actual practice
- Assess any internal security risks
- Assess any external security threat
- Review your response plan
Nothing is worse than trying to review your response plan right in the middle of a cyber incident. Keep testing your policy and response plan regularly. Scenario-based testing, penetration tests, attack simulations and desktop drills will help everyone involved stay prepared for any critical incident.
Creating a policy can seem challenging. And it is. There’s a lot of work that needs to be done up front before you have a usable policy, and aligning different stakeholders is never an easy task. But it’s no longer an option. If you ever find yourself at the pointy end of a data breach or cyber incident, you (and your legal team) will be extremely glad you had the foresight to make one.