Yesterday, I told you that small businesses (less than 250 employees) suffered 31 percent of last year’s cyberattacks. What can you do to best protect your business (of any size) to repel an attack? Let me introduce you to the Data Security Policy, an essential component of any employee handbook now, and likely forever.
What should an effective Data Security Policy contain? Consider 1) consulting with a knowledgeable cybersecurity attorney; and 2) including these 10 components (c/o me, Travelers, and the U.S. Small Business Association):
- Safeguard Data Privacy: Employees must understand that your privacy policy is a pledge to your customers/vendors/etc. that you and they will protect their information. Employees should only use data in ways that will keep customer identity and the confidentiality of information secure.
- Establish Password Management: A policy mandating complex passwords, changed regularly, is required for any workers who will access corporate resources.
- Consider Two-Factor Authentication: Consider requiring multi-factor authentication that requires additional information (i.e., an additional pass-code delivered to a designated secondary device) beyond a password to gain entry.
- Govern Internet Usage: Each organization must decide how employees can and should access the internet, which balances employee productivity against corporate security concerns.
- Manage Email Usage: Many data breaches result from employee misuse of email, which results in the loss/theft of data or the accidental downloading of viruses, malware, or ransomware. You need standards on the use of emails, message content, encryption, and file retention. Moreover, do not forget to train your employees on how to detect and deflect phishing attempts.
- Govern and Manage Company-Owned Mobile Devices: Organizations that provide mobile devices for employee use need a formal process to help ensure that any use is secure. A good starting point? Requiring the same password protection as non-mobile devices, and a mobile device management infrastructure that lets you remote wipe a device if it’s lost or stolen.
- Establish an Approval Process for Employee-Owned Mobile Devices: Ownership of smartphones has reached a critical mass. A “Bring Your Own Device” program is no longer an option, but should be required. If employees are going to bring personal devices into the workplace, and use them to connect to your network, you need to deploy reasonable policies to govern their use and protect your network and security, instead of ignoring the issue or instituting prohibitions that employees will ignore anyway.
- Govern Social Media: All users of social media need to be aware of the risks associated with social media. Social media presents a real risk of corporate breaches of confidentiality. It is easy to tell your employees, “Think before you click.” Yet, 76 percent of the Inc. 500 lack a social media policy for their employees, and 73 percent of all employers conduct no social media training. If you aren’t educating your employees about the risks and benefits of social media, both in and out of the workplace, you are not only missing a golden opportunity, but you also leaving yourself exposed to breaches of confidentiality and other snafus.
- Oversee Software Copyright and Licensing: Software usage agreements oblige organizations to adhere to their terms, and you should make employees aware of any software use restrictions. Also, employees should not download and use software that has not been reviewed and approved by the company (some of which could expose the company to viruses, malware, or ransomware).
- Report Security Incidents: Finally, all of the above goes out the window if your employees do not know and understand when and how to report a security breach, and how and when to report malicious viruses, malware, or ransomware in the event it is inadvertently imported. All employees must know how to report security incidents and what to do to mitigate any damage.
As is the case with any policy, a Data Security Policy will not be worth the paper on which it’s written if you don’t train your employees on what it means and how it operates in practice. Data breaches are not an if issue, but a when issue. You will be breached; the only question is when it will occur. While you cannot prevent a data breach from occurring, you can and should train your employees to sure up any knowledge gaps that further opens the risk they inadvertently pose.