Adequately defending your organization and its digital processes heavily relies on building a robust infrastructure of preventative security measures.
Limiting user permissions, securing Wi-Fi connectivity, encrypting data, properly disposing of dated devices, and other key processes are vital functions of your cybersecurity strategy and implementation team. Lack of preventative securities leaves your data up for grabs, and no matter how different one enterprise is from the next… no one wants that!
Below are two ways you can empower your employees to help defend your business from cyberattacks and breaches:
Create security policies and procedures for digital use
Develop an employee training program
Creating Digital Security Policies and Procedures
What Should They Address?
Policies on internet use and digital processes should not only protect your organization, but also its most valuable asset… your employees. This is achievable by comprising your cybersecurity strategy with policies and accompanying procedures that diminish intrusion risk and vulnerability as employees leverage your organization’s digital assets.
Well-designed cybersecurity strategies contain policies that address four things:
- The information you care about
- Why the information needs to be protected
- Who is responsible for implementing and enforcing the policy and procedures
- To whom does the policy apply
Let’s begin with (1) the information you care about and (2) why the information needs to be protected… We recently discussed how to identify your organization’s vulnerability to cyberthreats… Need a refresher? Click Here. The pieces of data that your organization receives, sends, or otherwise handles comprises the “information you care about.” Obviously, the value you determined each piece of information to have indicates just how much you care about it.
It’s the value you determined the information to have that leads you to why the information needs to be protected. Specifically, these three considerations will highlight the repercussions pertaining to said information being leaked:
- What would take place if this information were released to the public?
- If this information was modified or communicated incorrectly, what further implications could occur?
- What would happen should my customers or staff be unable to access this data?
A piece of information’s value coupled with consequences to your bottom line should it leak outside your organization provide you with the reasoning for protecting the information.
Now let’s determine who will be (3) implementing and policing your policy and procedures. While it makes sense for your cybersecurity team—often those in IT and/or security departments—to retain most of the responsibility, organizations may structure this differently based on size and functioning. While smaller companies may want to place most of the accountability to one or a few designated employees, larger organizations may lean on middle management and/or supervisors to assume some accountability for themselves and their team.
And finally, we recommend your (4) policy and procedures apply to your entire organization. It’s possible that the applicability or format of certain policies and procedures will vary depending on department or occupation. For example, if a policy reads, “Employees may not use any other user account other than the one assigned,” IT teams may require exceptions when physically or remotely troubleshooting an employee’s user account.
When deciding which policies should apply to whom, look at the needs of your organization and determine what makes practical sense. This is a prime time to brainstorm all possible scenarios and determine if and when exceptions are needed. Permitted exceptions should be explicitly stated in your policy or stated elsewhere and referenced in your policy.
How to Draft Specific Policies and Procedures
Now that we’ve covered what your policy should address, you can begin drafting specific policies and accompanying procedures.
When crafting policy statements, consider aspects of your cybersecurity strategy checklist, such as handling of passwords, user permissions, Wi-Fi use, disposing of old technology, etc. Additional policy topics will likely include:
- Acceptable internet use
- Acceptable device and machine use
- Physical security of devices and machines
- Contingency planning
- Location and placement of hardware
Some examples of well written digital policy statements:
- All employee personnel data will be protected from viewing or changing by unauthorized persons.
- All computer users will have their own account and password.
- Passwords are not to be shared with anyone.
- All computer users will read and sign an access and use agreement.
- Information Types A, B, C, D, E, and F will be backed up regularly in accordance with their determined priority/criticality.
- No external downloads are permitted on organization computers or devices.
We keep mentioning procedures… Procedures are the specific steps or actions individuals must follow to remain compliant with a given policy. Procedures should be specific, but not overly descriptive. Well written procedures are clear, concise, and easily applied to applicable scenarios. Here’s an example of procedures that could apply for the policy, “All computer users will have their own account and password:”
- Supervisor or other applicable employee requests employee user account creation for new employee;
- System administrator creates new account with unique username and applicable identifiers;
- System administrator assigns a temporary password to new account;
- System administrator notifies the new user of the unique account username and temporary password;
- New employee logs into his/her account and is prompted to immediately change the password;
- System administrator reviews all user accounts monthly.
Notice how the procedure is sequential… this helps employees and management develop a process or flow to meeting a stated expectation.
Creating a Cybersecurity Employee Training Program
So, you have a well-structured set of policies and procedures that navigate an employee’s permissible cyber activity with absolute precision… but how do you ensure your team is knowledgeable of them?
The on-boarding process for new employees is when we recommend incorporating initial cybersecurity training. Any time employees use digital entities, devices, or machines without proper training, you’re placing your data at risk. Because it’s recommended that no employee be allowed access to digital equipment prior to proper training, completing the training within the first week or two of employment is logical and practical.
The best training programs are catered to the individualized needs of an organization. Below are a few universal elements that can help any organization or industry generate successful training experiences:
- Limit training sessions to a 60-90 minute time frame. Do not try to lump multiple trainings together for hours on end. Have the cybersecurity training performed in-between a 10-15 minute break.
- Ensure the instructors have “bought in” to the concepts they’re teaching. Don’t put the employee who never locks his computer or has been known to write her passwords down on sticky-notes in charge of security training. If their mantra were to include “do as I say, not as I do…” seek elsewhere.
- Provide reasoning for policies, procedures and examples of what can happen if they’re not followed. Employees are far more likely to adhere to expectations if they understand why they’re in place and are given examples of what can happen if the policy were not in place or not followed.
- Utilize different techniques. Various presentation styles, dyad or triad activities, group discussions, workbooks, quizzes… all helpful in promoting attention to trainings and retention of information.
- Document employee commitment. It’s difficult for employees to claim they were unaware of a policy or procedure if their written signature—or eSignature 😉—is on a document stating they understand and agree to follow the policy. Completion of cyber training should be contingent on employees affirming and agreeing to all cybersecurity policies.
Continuing cyber education should be required for all employees, this may involve online courses, in-person training, or a combination. The digital realm is rapidly evolving and your employees will need refreshers and updates throughout their employment tenure. Consider requiring all employees to complete a minimum of two continuing cybersecurity education courses per year.
A well composed, strategic, and purposeful cyber policy coupled with an effective training program for employees is key in rounding out phase two of your cybersecurity strategy. You may find that some of our suggestions may not completely align with the way your business functions. For example, if your organization currently has two employees with no immediate plans for growth, you may not develop as comprehensive of a policy and training structure as an organization with 30+ employees. Nevertheless, all organizations, regardless of size, should have a concrete cybersecurity policy and training that aligns to current needs.