There are three things that protect an organisation from cybercrime and data loss – education, products and services, and security policies. Without any one of these, especially proactive security policies, you leave yourself vulnerable to getting a virus, or even worse, your company data compromised.
Today a business without security policies is a business without direction or guidance on what to do with company or customer data. Once a cybercriminal has access to any of this data they can use it for phishing, to mine cryptocurrency, or even worse, identity theft.
To prevent this, the Australian Government has introduced the mandatory data breach notification law (NBD), forcing any organisation that has their customers’ data compromised to report it to both the Office of the Australian Information Commisioner (‘OAIC’), as well as to those who may be impacted as a result. Any organisation that chooses not to, or neglects to notify both these parties may risk a fine of $2.4 million. Ouch!
Today, there are still a lot of organisations in Melbourne, Victoria and even Australia that are not prepared for the NBD, so naturally, we want to help. Here are the top 5 security policies that will help protect your business.
We hear it all the time, can I have the same password I had last time?? The answer should be a resounding no! Passwords are virtual gold to cybercriminals, and as soon as they get their hands on yours, they have access to the same company data that you do, and - depending on your access, potentially your customers’ data as well.
Here are a some best practices we recommend putting in your policy:
Enforce Password History
Don’t allow anyone in your organisation to have the same password twice.
Maximum Password Age
In an ideal world, you would have your password changed every 30 days. However, for some organisations, this can be an overwhelming change. Start with 90 days and gradually move your way down to 30 days over 12 months.
Minimum Password Length
Every password should be a minimum length of 14 characters.
Password complexity has changed recently. We used to have passwords that were hard for people to crack, now we need a password that are hard for computers to crack as well. The best way to do this is let your staff choose four random words such as Healthlaptoptigerglass. Don’t allow them to use words like their first name or last name, and ensure they use capital letters as well.
Although this can be cumbersome, two-factor authentication is key to protecting your data. Every time you log into your account, an SMS code will be sent your phone to verify that you are logging into your account. Once you enter the code, you will be able to log into your account. This means that even if your password is compromised, an attacker still won’t be able to gain access without also having your mobile device.
The acceptable use policy is how your employees are allowed to use company devices. In this policy you should add details like:
- Personal use of company equipment, and what is, and isn’t, acceptable
- Can they install software on the machine?
- Can their family use company equipment?
New User / Exit User Policies
Cybercriminals love users that have not been removed from the system; they use these accounts to compromise data and potentially mine cryptocurrency. They also like new user accounts, as these can inadvertently be granted too much access to the systems, with no idea of what security policies are in place or how they should be followed.
Let’sbreak it down a bit further:
In your new user policy, you want make sure it include an induction that covers your organisation’s security policy. All new users need to know about your everything they need to do to protect your data.
In your exit user policy, ensure you specify that relevant processes need to occur straight away, and their account(s) are terminated as soon as practical. Changing the password is no longer good enough. Other things you might want to consider are:
- Mobile Phones
- Keys to the building
- Access to devices and software that may not be part of your internal infrastructure. This includes things like DropBox, Twitter, the company Facebook account - etc.
Information Security Policy
The purpose of this policy is to ensure your staff acknowledge the importance of data and Intellectual Property. Protecting both your company and customers’ data should be front of mind for all employees. Here are some things you might want to consider for your information security policy:
- Acknowledge the importance of securing Intellectual Property, and the risk and consequences of a data breach.
- The process of responding to a security incident.
- Investigation and remediation of a breach
- The use of USB drives (generally considered an extreme risk, their use should be discouraged wherever possible, if not banned entirely).
Backup and DR Policy
A backup and disaster recovery policy should include things like: where your staff need to go should your business premises not be available, as well as where your data resides and how you are going to get back up and running in the event of an emergency. Other things you may want to consider are:
- Where your organisation's information is stored (for example, is it accessible externally?)
- Who restores your data, and the timelines around doing so
- How often your data is backed up
- What type of information is not backed up (personal data)
All of the above policies are important in protecting your business and the organisation whose data you are responsible for. It is a great idea to consult a cybersecurity professional to ensure you have all the policies in place; once this is done, you educate, educate, educate your employees.
HOW EVOLVE IT CAN HELP?
We take great pride in partnering with organisations. Our team specialises in developing customised solutions to help you get the most out of your technology.