This is part of a two part series discussing the essential parts of a business IT security policy. Last week we talked about the increasing risks small to medium businesses face from digital security threats, why a security plan is necessary and 3 things to consider before drafting your IT security policy.
With the right language, your security policy can mitigate threats and reduce the impact of any breaches that do happen. The result is a boost in productivity, a reduction in network downtime, and the ability to provide reassurance to customers that their personal and financial information is safe in your hands. At larger companies, these policies are written by information technology managers. In many cases, SMB managers find themselves creating their own policies, which can be overwhelming to someone without the experience of an IT manager.
For the best results, we recommend collaborating with a managed IT service provider and your in-house IT team. To help you, here is a list of 6 important aspects to address in your security policy, to maximize your protection as much as possible.
Misuse of digital assets is common and can leave major gaps in security across the board. To combat this, companies are adopting acceptable use policies. The policy you write needs to be plain in your expectations for your employees and managers. Explain in detail what is allowed and what is not allowed, and what the consequences might be for violating the policy.
Creating guidelines for passwords ensures that employees create secure logins and passwords, preventing unauthorized access to data. Some companies opt to set passwords for individuals, others allow employees to create passwords using specific parameters. However you choose to do this, password security should be thoroughly explained and trained, as this is a common area of compromise.
Explain the real world
Real world scenarios will help employees envision their role in the security planning process, and will make for a quicker recovery. Spell out different types of breaches and then use examples of each. Identify common employee behavior that creates a potential risk and outline it in the policy. For example, if you know you have employees sending files from their personal devices to storage on their work computer, identify the threat this poses and suggest more appropriate methods of obtaining files from a personal device, such as a flash drive.
Have a plan
Attacks happen; your security may be breached. Having a plan to deal with the different scenarios that impact the security of your network puts you in a proactive stance so that if and when disaster strikes, all employees know their responsibilities and can take swift action to protect sensitive information. Identify and appoint a group or a single employee responsible for implementing these recovery procedures. The group will be responsible for intra-office communication and coordination, working with necessary outside agencies and ensuring the organization gets back on track quickly and smoothly, in addition to other tasks related to the disruption.
The policy needs to state what kind of training will take place. This policy should include ongoing training to keep up with current technology and trends. Some companies opt for a yearly refresher, while others have employees go through the complete training every three years. This will depend on your company, turnover, and the importance that your employees play in your network security. The most effective training involves interactive computer modules and/or other visuals to assist in the presentation, followed by a quiz with a required minimum score.
Employees should be clear on the expectations and consequences for not adhering to a security policy. During the new hire process, employees should be required to sign a statement of understanding regarding the policy to further ensure compliance. This communicates to the employee that they are fully responsible. Your consequences should address multiple layers of noncompliance, from unintentional breach to willful violation of policy to malicious violations like data theft.
With a robust security policy, you can protect your business against unnecessary threats and liabilities, be able to more quickly recover after disaster strikes and train employees to help maintain a more secure business.
Concerned about your IT security? Milner’s managed network services team conducts free network assessments with an eye for security, infrastructure and your organization’s plans for growth. Our managed IT services team is comprised of over twenty experts who can help you identify potential threats, beef up your network security and monitor your systems around-the-clock. Contact us today at 800-875-5042.