Even in a time of tremendous publicity surrounding recent security breaches, many businesses do not take the time to formulate an IT security policy and disseminate it to their employees. Perhaps local business owners think they are too small to be hacked, or maybe overworked IT managers simply can’t find the time.
Whatever the reason, an IT security policy that protects the company from both internal and external threats is necessary for every business. Small and medium businesses are at risk; over half of all small and midsize businesses have been hacked, according to recent research by specialty insurer Hartford Steam Boiler, and nearly three-fourths of those businesses weren’t able to recover all the lost data.
What to Include in an IT Security Policy
- Procedures for collection, use, storage and destruction of data
- Information on creating and maintaining secure passwords
- Information about company policy on accessing objectionable internet content and the security risks associated with that content
- Explanation of the appropriate uses of social networking for your particular business
- Education about phishing, worms, viruses, and other external threats to which employees are almost certain to be exposed
- Appropriate use of business software and systems, including those taken off premises, such as company laptops, tablets, cell phones, and removable media such as USB storage devices
- Consequences for employees who fail to comply with the policy; however, make it clear that the intent of the policy is to enlist the help of everyone in the organization in protecting the company from a security breach
Tips for Implementing the IT Security Policy
- If your company is subject to regulatory compliance regarding data security, integrate those requirements into your own policy; use the regulatory requirements as a framework and fill in the gaps.
- Educate yourself on state laws regarding your liability concerning, for example, customer data, and determine how you will respond if a breach occurs in spite of your efforts. Incorporating deadlines for notification into your policy, for example, could help your company avoid expensive fines.
- Educate your employees about the IT security policy during a mandatory training session after adoption and for new hires. Provide a refresher after the annual audit and notify the staff of any updates.
- When you train your team members on the policy, offer specific scenarios that will help them understand your company’s particular areas of vulnerability. For example, your organization could be seen as a gateway if it does business with big brands. News articles and YouTube videos can help you provide relevant examples that illustrate the importance of following the policy.
- You may want to give team members a short quiz at the end of the training so you can address any areas of confusion. Employees should read and sign the policy at the conclusion of the training session.
- Keep in mind that everyone in your organization should be able to understand and follow the IT security policy. If a technical team member writes it, it should be reviewed by non-technical stakeholders before it is distributed to all employees.
- An attorney should also review the IT security policy to provide feedback to the business on liability concerns and other legal issues.
- Schedule an annual internal audit of your company’s IT security policy to ensure compliance throughout the year, bring the policy itself up-to-date on a regular basis, and review policy changes with team members.
Creating an IT security policy can also help a business identify areas in which it is inadequately protected or unprotected. The organization can then pursue appropriate measures to minimize risk and liability.
If you have concerns about your organization’s IT security policy, contact us for assistance.