woman working on a computer with a mouse
April 28, 2017
Legal  |  6 min read

Do Your Company Policies Protect You in Cyberspace?

Created with Sketch.
Ron Smith

Every company, regardless of size, should develop and maintain strong policies for critical data and sensitive client information. Companies need to not only protect their assets and reputation but also discourage inappropriate or malicious behavior.

Establishing policies and procedures are one of the most effective and inexpensive ways of averting cybersecurity crimes. However, many companies fail to put policies into place or adhere to them. The Ponemon Institute, in their 2016 report, “Security Beyond the Traditional Perimeter,” it was revealed that 79 percent of all companies who responded to their survey had cybersecurity policies and procedures that are non-existent, partially deployed, or inconsistently deployed.

While these documents in of themselves do not prevent cybercrime, they are an important step in the right direction. They assist in raising awareness and identify what needs to be done when cybercrime occurs.

Policy and procedure action items

Identifying the right information to put into a policy or procedure can be daunting, especially when it is something that is unfamiliar and not directly related to your core business.

Here are fundamental elements that should be included in any good policy and procedure document:

1. Establish clear roles and responsibilities

A key to the prevention of serious cyber security incidents is to establish a policy that clearly defines the individual roles and responsibilities with respect to systems and the information they contain. This includes the following:

  • The necessary roles and the rights and limitations according to each role
  • The employees or type of employee who should be allowed to assume each role
  • If an employee holds multiple roles, the circumstances that define when to adopt one role over the other

There may also be a need to create a separate policy to govern responsibility for certain types of data. This data may include types such Personally Identifiable Information (PII) and credit card information.

[related] https://learn.infusionsoft.com/business-management/legal/cybersecurity-tips-for-small-business [/related]

2. Establish an employee internet usage policy

This policy should outline limits on employee internet usage in the workplace. This can vary widely from business to business, however, the guidelines should include the degree of freedom employees have to surf the web or perform personal tasks. These rules are necessary to ensure that employees are aware of the boundaries to keep both them and your business safe and successful.

Some things to consider when developing this policy:

  • Limiting surfing to a reasonable amount of time and to certain types of activities
  • If web monitoring is in use, employees should have a clear understanding of how and why their activities are being monitored. This helps to gain acceptance and raises awareness of what sites are considered out of bounds by the policy.
  • Rules and guidelines need to be clear, succinct, and easy to follow. Employees should feel at ease when performing both job-related and personal tasks without having to ask or make a judgment call regarding what’s appropriate.

3. Establish a social media policy

Social media sites and applications present risks that can be difficult to address, especially when your company uses it to promote the business and communicate with customers.

Your social media policy, at a minimum, should include the following:

  • Specific guidelines on disclosure of company information that could create risk for the company
  • Guidance for acceptable customer communication. This includes replies to inquiries, responding to posts, or participating in discussion topics.
  • Guidance on using a company email address to register or get notifications from social media sites
  • Guidance on using strong passwords, since few sites enforce strong authentication policies for users. This should include guidelines on the reuse of passwords between sites.
  • Include guidance on mobile device use

All users of social media need to be aware of the risks associated with its use and the nature of data that can be disclosed online when using social media. Taking the time to educate your employees on the possible dangers of social media use is one of the most effective tools in keeping your business safe.

[related] https://learn.infusionsoft.com/business-management/legal/why-cybersecurity-starts-with-your-password [/related]

4. Establishing clearly defined procedures for handling events

In the event that a cybercrime or policy violation occurs, clear and concise procedures for handling each type of occurrence are critical to mitigate potential threats or damage to your business and subsequently recover from it.

This procedure should include the following information:

  • Establish a recovery team. This team has the authority and resources to directly address a cyber-security incident.
  • Specific recovery activities including system recovery, application restoration details, or methods to activate alternate means of keeping your business going
  • Specific disciplinary actions that may be taken when employee violations occur
  • Specific details on when legal action is to be taken

In conclusion

A clear and easy way to understand policy and procedural documents can be a great tool in protecting your business, employees, and customers. It should also be a living document, regularly reviewed and updated to address the growth of your company, evolving threats, and infrastructure. Finally, it should be regularly shared with your employees, to gain buy-in and understanding of their specific role in keeping your business successful.

2017 Strategic Planning Kit - Download Now
 
Ron Smith is an Infusionsoft Sr. Quality/Security Engineer. Having served in the USAF as a security specialist, he became passionate about security. During his 20 year career, he has worked for very large companies such as Microsoft, Intel, and Pearson, but his love for small business carried him to Infusionsoft. He is also the father of five boys and an avid Harley Davidson rider and home brewer.

Was this post helpful?

Subscribe to our newsletter

Fresh small business insights and ideas delivered weekly to your inbox, gratis.


You may also like

man with cardboard box after being fired

Human Resources | 9 min read

How to Fire an Employee
hands in a circle working together

Business Management | 7 min read

How to Make Employee Engagement a Team Effort
Subscribe to our weekly newsletter!

What you'll get from it:

As a thank you for subscribing, we'll send you a copy of our 2018 Small Business Marketing Trends Report with insights from over 1,000 surveyed business owners. The gifts just keep on coming.

4 Reasons to Subscribe:
  • Weekly tips to dominate sales and marketing

  • Expert small business resources that cost you zero dollars

  • We're focused 100 percent on small business success

  • Righteous GIFs

    GIF of Ferris Bueler principal's assistant

P.S. We'll never give out your information. We'll only use it to send you awesome content and resources, if you're cool with that.