Imagine your company’s data has been breached, including sensitive customer information. Did you do everything in your power to prevent such an attack? If not, you could (and most likely will) end up on the wrong side of law and you will be required to pay some hefty fines depending on the scope of the breach.
Data breaches come in many shapes and sizes: ransomware, data-stealing malware, physical data theft, or a full on data breach. It’s not a matter of if your business will suffer a data breach at some point, it’s a matter of when. Of course it’s important to implement practical security measures such as installing a firewall, using antivirus, and updating software. But it will never be enough. Unfortunately, data security has not kept up with changing technology. To fully protect your business, you need an information security policy.
Why do you need an Information Security Policy?
It is critical to have written policies and procedures in place that thoroughly explain how information is used, accessed, transmitted, and stored. Employees should understand how they are allowed to use technology and the internet. A written policy can outline this. Most importantly, these written policies will legally protect your business in the event of a data breach. It will indicate to police and investigators that you were doing everything in your power to protect your customers’ data.
A security policy will indicate how your company is creating a habit of data security. It lets staff members know what are proper and improper uses of data. It allows IT staff to more effectively implement security features. An information security policy will let everyone who works for your business understand the importance of securing private information and it will give them practical procedures for doing so.
In addition, some third party organizations that work with you (such as auditors, vendors, partners, and investors) require you to have a written information security policy. These organizations have a stake in your security and will want to know what you are doing to keep data safe. Lastly, in order to be HIPAA compliant, PCI compliant, and compliant with other various organizations, you must have a written security policy.
What should the policy include?
A security policy will start with an overview that includes background information on what the policy will address, then it will have a purpose explaining why the policy exists, and then it will have a scope and target audience that shows who and what the policy covers.
After that, the exact policies will be listed out. This will be the main portion of the document. There are several policies that are essential to all businesses. These include policies for acceptable use of company technology, authentication (passwords), backing up data, network access, network security, incident response, email, and access to confidential data. Some important but less widely used policies are those for encryption, guest access, mobile devices, remote access, and physical security of data.
No matter which policies are included, it is important that the document is written in plain English, not technical jargon. All employees of the company need to be able to read and understand it so they can easily follow the rules. The document should be no longer than absolutely necessary and it should be reasonable. The goal is to create a policy that employees can actually use rather than one that just makes your company appear secure on paper.
Implementing your policy
It’s not enough to simply create a document and let it sit in a binder on the shelf. It needs to be implemented in order to be used at its full capacity. Current and new employees should read the policy and sign that they understand and agree to its contents. To make sure that staff understands, regular training with real life examples needs to occur. Training should be relevant and practical so employees will be happy to create a culture of security in the workplace, rather than feel like data security isn’t their problem.
Employee negligence causes 30% of all data breaches, making it the leading cause of data loss. Trained, engaged, and knowledgeable employees that adhere to your company’s information security policy will protect your business from data breaches, malware, phishing email threats, ransomware, and more.
How to get started
There’s no right or wrong way to develop an information security policy. The most important thing is that the policy is easy to access, use, and amend by your organization. It needs to be practical and implementable. A policy written for one business will not work for a different business - tailor-made, detailed, customizable policies that are specific to the way you run your business are what’s important. The best way to go about this is to hire a company that is experienced in writing these types of documents.
Trying to create the policy yourself using online resources is possible but it will take up large amounts of time and will probably result in an information security policy that is inappropriate for your business.
The good news is that there is someone right around around the corner that can write your information security policy: catmandu! To get started on the path towards security and compliance, contact us.