Manage Your Cyber Risk
27th February 2019
All companies should develop and maintain clear and robust policies for safeguarding critical business data and sensitive information, protecting their reputations and discouraging inappropriate behaviour by employees.
Many companies already have these types of policies in place, but they may need to be tailored to reflect the increasing impact of cyber-risks on everyday transactions, both professional and personal. As with any other business document, cyber-security policies should follow good design and governance practices—not so long that they become unusable, not so vague that they become meaningless, and reviewed regularly to ensure that they stay pertinent as your business' needs change. Establish Security Roles and Responsibilities One of the most effective and least expensive means of preventing serious cyber-security incidents is to establish a policy that clearly defines the separation of roles and responsibilities with regard to systems and the information they contain. Many systems are designed to provide for strong role-based access control (RBAC), but this tool is of little use without well-defined procedures and policies to govern the assignment of roles and their associated constraints. At a minimum, such policies need to clearly identify company data ownership and employee roles for security oversight and their inherent privileges, including: Necessary roles, and the privileges and constraints accorded to those roles The types of employees who should be allowed to assume the various roles How long an employee may hold a role before access rights must be reviewed If employees may hold multiple roles, the circumstances defining when to adopt one role over another Depending on the types of data regularly handled by your business, it may also make sense to create separate policies governing who is responsible for certain types of data. For example, a business that handles large volumes of personal information from its customers may benefit from identifying a sole manager for customers' private information. The manager could serve not only as a subject matter expert on all matters of privacy, but also as the champion for process and technical improvements to handling of personal information. Establish an Employee Internet Usage Policy Social networking applications present a number of risks that are difficult to address using technical or procedural solutions. A strong social media policy is crucial for any business that seeks to use social networking to promote its activities and communicate with its customers. At a minimum, a social media policy should clearly include: Specific guidance on when to disclose company activities using social media, and what kinds of details can be discussed in a public forum Additional rules of behaviour for employees using personal social networking accounts to make clear what kinds of discussion topics or posts could cause risk for the company Guidance on the acceptability of using a company email address to register for, or get notices from, social media sites Guidance on selecting strong passwords for social networking accounts All users of social media need to be aware of the risks associated with social networking tools and the types of data that can be automatically disclosed online when using social media. Taking the time to educate your employees on the potential pitfalls of social media use may be the most beneficial social networking security practice of all. Identify Potential Reputation Risks All organisations should take the time to identify potential risks to their reputations and develop a strategy to mitigate those risks with policies or other measures as available. Specific types of reputation risks include: Being impersonated online by a criminal organisation (such as an illegitimate website spoofing your business name and copying your site design, then attempting to defraud potential customers via phishing scams or other methods) Having sensitive company or customer information leaked to the public via the web Having sensitive or inappropriate employee actions made public via the web or social media sites All businesses should set a policy for managing these types of risks and plan to address such incidents if and when they occur. Such a policy should cover a regular process for identifying potential risks to the company's reputation in cyber-space, practical measures to prevent those risks from materialising and plans to respond to and recover from incidents as soon as they occur. The Burley Group has numerous sample policies available to our clients upon request. These policies are a great starting point for your policy-creation efforts and can be modified to fit the unique needs of your business. Contact The Burley Group today: www.burleyinsurance.co.uk| 0114 261 2020 | info@theburleygroup.com