How to Implement a Cybersecurity Policy

A cybersecurity policy helps your company avoid incidents, losses, and liability. However, for your cybersecurity policy to be effective, you need to implement it correctly. There are a few things to consider when creating your cybersecurity policy.

What Is a Cybersecurity Policy?

A cybersecurity policy outlines a company’s requirements for cybersecurity, computer usage, and account management. The policy provides guidance to employees and establishes official rules for what is and is not acceptable, to manage cybersecurity risks.

Some companies have informal and unwritten policies. However, this approach may lead to confusion and make enforcement difficult. To be effective, a cybersecurity policy should be in writing and available to all employees.

What Should the Cybersecurity Policy Include?

An effective cybersecurity policy should address the multitude of issues that may impact cybersecurity. If you have cyber liability insurance, your insurer may have requirements that need to be in your policy.

Key points to cover include:

• Password Management. For example, the cybersecurity policy may state that employees must use a unique password (not the default password). Employees may need to change their password regularly and may be prohibited from sharing their passwords.
• Multifactor Authentication. Employees may need to use multifactor authentication on work-related accounts.
• Personal Device Rules. Employers should clarify whether employees are allowed to use their own devices for work-related tasks or if they need to use company devices when accessing any company programs or data. If employees are allowed to use their own devices, the cybersecurity requirements should be clear.
• Home Office Requirements. If employees work from home on a full- or part-time basis, the cybersecurity policy should include rules for home office security, such as Wi-Fi security, the devices employees may use, and requirements to keep devices safe.
• Email Security. Guidelines for email usage may consider rules on passwords and how employees may use company emails as well as tips on avoiding malicious attachments and links.
• Updates, Patches, and Scans. Keeping programs up to date is important for security. A cybersecurity policy can address this by requiring employees to apply updates and patches as soon as they are available and to run regular anti-virus scans.
• Data Backups. If a cyber incident occurs, current data backups limit business disruption. For this reason, a cybersecurity policy may require daily or weekly backups.
• Access Control. Limiting access may prevent cyber incidents. A cybersecurity policy may outline who has access to various controls and accounts and the protocol for removing access after an employee leaves the company.
• Incident Reporting. If employees encounter security breaches – or even potential security breaches – they need to know how to report the issue immediately to enable the company to take steps to control the threat. For example, if employees accidentally click on a malicious link or see a pop-up message that may indicate a virus, how should they report this?

Implementing Your Cybersecurity Policy

Creating a comprehensive cybersecurity policy is only the first step. The goal is to ensure employees follow the policy in daily operations, which doesn’t happen automatically. Consider the following:

• Who is in charge of implementing the policy? If no one takes responsibility, implementation may fall through the cracks. Identify the person or people in charge of the policy and exactly what their duties are.
• How will you make employees aware of the policy? Employees need to know and understand the policy. Simply emailing employees a copy of the policy may be insufficient, as some employees may not see it, may not get around to reading it, or may read it but not understand it. Other measures could include having employees sign to show they have read the policy, creating video tutorials to explain the policy, or having meetings to discuss the policy.
• How will you enforce the policy? Consider how your company will monitor employees for compliance and what will happen to employees who do not comply. You should include this information in the policy itself to ensure employees understand the stakes – for example, if they will be disciplined or fired for failing to adhere to the rules.
• When will you update the policy? You may need to update your policy to address new cyber threats or respond to issues. Create a timeline for this. For example, you may like to schedule an annual review as well as additional reviews after any cybersecurity incidents.

A cybersecurity policy helps companies avoid cybersecurity incidents. Cyber liability insurance provides another layer of protection. Heffernan Insurance Brokers can help you secure cyber insurance and manage your risks. Learn more.