Read part 1 of this series: Unsecured and unaware: Why your business needs cyber security policies now! and the the introduction to this article: Security policy 101: How to develop security policies for your business.
Consider the following discussion points when developing your security
policy. This list is by no means complete, but it will provide you with a
good start, which can help you to develop a plan to protect your
business from cyber-security threats.
Browse the bullet points for things to consider. Bookmark the page for future reference, go through the guide in more detail when you’re ready to develop your own security policies. Remember, the goal of this guide is to raise the bar; it’s not going to solve all your security problems (or make you industry compliant). But, it will help you start moving in the right direction.
Know your businessYour IT and information security processes should support your business activities. They should fit in with your organisation and be aligned with your goals, technologies, staff and capabilities.
- Create a list of all of your systems: email, accounting, purchasing, online supplier portals, and file servers.
- Create a list of your users, what types of staff do you have? Reception? Sales? Accounts payable? Accounts receivable? Management?
- What devices do you have? File servers? Wireless access points? Routers? Laptops? Tablets?
- What types of data do you store? Credit card numbers? Business plans? Client usernames and passwords? Personal information? Secret documents?
- Our Systems.doc
- Our Users.doc
- Our Devices.doc
Play some “what if” gamesTo identify what’s important to you, and make you think about how your business functions. Start to imagine scenarios where you business systems, users, or devices are damaged, stolen or compromised. This is where you can exercise your creative Hollywood scriptwriting skills; you can invent a whole range of scenarios from mundane to ridiculous.
- Ask, “What if this device fails?”
- Ask, “What if a staff member quits or is fired?”
- Ask, “What if a device goes missing?”
- Ask, “What if someone steals the device?”
- Ask, “What if the data is leaked?”
- Ask, “What if someone has access to our Wi-Fi?”
- Ask, “What if someone guesses our server password?”
- Ask, “What if Bruce Willis teams up with Mr Robot to compromise one of your staff who is involved in international money laundering?”
Reality CheckIt’s easy to get carried away and see threats and risks everywhere. After you understand what’s important to you, try to work out how likely a scenario is. For some threats this will be easy (you know how likely you are to have staff quit), for other threats you may need IT or security input to determine the likelihood and real impact of the threat.
- How often do your staff turnover?
- How often have your computers failed?
- How likely is it that your Wi-Fi password is easy to guess?
- Have you changed your banking passwords recently?
- Do any of your staff know Bruce Willis or Mr Robot?
Reality check is probably the most technical process. The difficulty lies with understanding how possible a certain type of failure is, and also understanding how likely it is that malicious attackers would exploit that scenario. Hackers tend to work on the fringe of unlikely scenarios; they will focus on areas that most people haven’t considered for protection.It’s unlikely that a hacker is going to bring down the city’s electricity grid to unlock your vault (unless it’s Hans Gruber), but maybe you hadn’t considered putting a padlock on your electrical switch [fuse] box?
Think contingencyAfter you’ve imagined the worst-case scenarios, and their catastrophic business impacts. Take a step back and think about ways you could continue to function. While most businesses rely heavily on technology, many will be able to continue operations even in the event of a significant incident. You can further improve your odds if you have contingency plans in place. In the event of a security breach, you may also need to take additional steps to protect your users and clients. So, build checklists and contingency plans for a range of what-if scenarios.
- Think about what will happen if your staff quit?
- What process should happen if staff leave suddenly? What if they’re fired? Who is responsible for revoking their access?
- How do we continue to operate if the dispatch or HR system is offline? Do you have hard copy or paper based form to fall back on? Should you have a fallback solution?
- What will you do if your system is infected by malware or ransomware? Do you need a spare computer? Can you afford the downtime while you re-install software and restore from backups?
- What happens if your Internet link or a specific server goes down? How can you continue to work?
- What will you do if your supplier’s system is breached? What passwords should you change? What information did they know about your business or your clients? How could this information be used to manipulate you?
- When you see Bruce Willis in your car park, how should you react?
Contingency planning often involves getting creative. Realistically, most businesses won’t fall over immediately if something goes wrong.Use your what-if scenarios and your lists of servers, staff and devices to create separate, 1-page contingency documents: “Restoring from a ransomware attack”; “Key-staff member resigns”; “Internet access lost”. Sometimes technical products can help with your recovery or risk mitigation. But, the general themes can often be addressed if you have a solid understanding of your organisational requirements.
For each of the systems, devices and websites that you have identified, consider who needs access and why. Poor access control is a common point of failure in business security. Long forgotten staff still know your banking details, and everyone still shares the same password. You need to know who has access to your data and systems.
- Document clearly which staff should be able to access which systems. E.g.: Does reception need access to your “Client Documents File-Share”?
- Do they need access to your supplier portal?
- Get your limited IT team to enact and test these access policies.
- Erase or disable any user or administrative accounts that are no longer required.
- Audit your computers and servers to see if suspicious accounts have been created. Check to make sure that the user’s you’ve documented are the only users with access.
- Don’t give Bruce Willis a swipe card if he’s only doing temporary work for you.
Your work to identify systems, staff, scenarios, and contingencies will give you an idea of who needs access to what. By limiting or ‘compartmentalising’ access, you limit the exposure to other people’s errors. The types of contingencies you’ve identified will also decide what types of access management you need to undertake.
Manage all changes
Because no business environment is static, your policy documents should recognise that staff will come and go, account numbers will change, and new software will become available. You should be clear about who can make these changes, and what they need to consider before they do.
- Who can change your accounting or finance details?
- What is the process for updating your mailing list or client details?
- What should happen if a client calls you to change their billing information (how do you verify that client without inadvertently disclosing their information? How to you confirm the changes?)
- What should happen if one of your staff needs new software? What is the business case for the software? Is it coming from a reputable manufacturer? Is it well supported? Are there any known vulnerabilities or hacks (have you checked the software with Google searches)?
- If Bruce Willis says ‘jump’ should your staff respond?
Managing both security and policy changes is integral to policy success. It’s unlikely that you’ve thought of every scenario, or documented everything perfectly.The rules you define here can be in the form of statements and checklists - your documents will be titled things like: “New staff induction process”; “Changes to administration systems”; “Staff resignation process”; “Policy for installing software on work computers”; “Checklist of requirements before connecting personal tablets to the office Wi-Fi network”
You should have rules that define the types of changes you can expect, as well as catchall rules and checklists for consideration if something falls through the cracks.
Password rules: what, who, how and when?
Who has access to your bank account? You might be surprised! What about password security — do you need complex passwords or do you permit easy to remember passwords? Password rules are critical to business security because passwords are usually the keys that permit access to your whole organisation. Many people think that password policy merely defines how annoying passwords should be to remember.
While defining password complexity is certainly part of the process, you should also consider more significant threats such as shared passwords for your banking and supplier portals. Also consider general password advice regarding re-use of passwords on multiple sites, and whether it’s ok to write down a password (sometimes this might not be a bad idea if you can put it behind lock-and-key).
- If you have shared banking or supplier portal passwords change them all. Document what sites you have access to and when the password was last changed. Changing all of your ‘shared’ passwords will reset access, and exclude all those who have inadvertently been given the password throughout history.
- Change passwords to your devices, routers, and Wi-Fi access points. Changing settings on these devices can open the door to full access to all of your systems.
- Avoid sharing new passwords with everyone. Refer to your list of user groups and decide who needs access to what services.
- Use different passwords for every single activity. Define password rules that separate access to banking, server administration, website administration.
- Wherever possible don’t use a shared password, create specific user accounts and assign privileges to the account. It’s much easier to cancel a single user account than it is to communicate a new password to 5 users.
- Decide when to update shared passwords. Perhaps after a certain elapsed time, or immediately after someone has left. Remember that you might need to change shared passwords on many devices, websites, and servers.
- Don’t forget to update the passwords on your routers, and Wi-Fi access points. Add these to a checklist so they don’t get forgotten.
- Consider individual password policies. Suggest that users have a unique password for their work activities.
- Does Bruce Willis need to know your banking password? How about your Wi-Fi password?
The biggest wins in most small organisations are managing the use of share passwords and accounts. Policies and checklists that decide who, when and how these passwords are used (and changed) will help your security immensely.
Be careful not to go overboard with password complexity rules. There’s plenty of research to suggest that draconian password change policies may actually decrease security of systems. Ridiculous policies are harder to enforce, people simply can’t remember crazy passwords.
“Your password must contain a capital letter, a number, the name of a famous cat, the initials of a Greek philosopher and an underscore. Your password must be changed weekly, and you can’t use any of the last four password (also, don’t write it down)!”
You don’t want weak passwords, but more importantly you don’t want to open the door to frequent password changes, or an easy to guess password convention because your policies are too complex. You might also consider whether password managers are appropriate for your users or organisation.
Protect your computers and data
Most businesses need good data. You have tonnes of data from business documents, through to accounting data and client contact lists. Your data is your business, without it you’d be lost. Consider your “What-if?” scenarios and protect your computers and data.
- Try to use real-time backup solutions like Time Machine or Windows backup. Also, take a daily backup, and a weekly offsite backup. Make sure the backups are encrypted (Google search “creating an encrypted backup on windows”, find trusted sources, don’t arbitrarily install backup software)
- Decide how often should someone spot-check your backups to see if they can access your most important files. You need to verify that the files work and are correct. Daily? Weekly?
- Consider once or twice a year scheduling a “test restore” of an entire computer or server from your backups. It’s tedious, but unless you test it out, you don’t know for certain it’s working.
- Update your operating systems, and application software. The latest security and software patches protect against newly discovered vulnerabilities.
- Disable applications and extensions you don’t need for your business activities. Do you really need flash player? Do you need more than one web browser?
- Install and update virus-scanning software. It’s only as good as the latest update, so make sure this is up to date.
- Disable any un-necessary devices or computers? If that server is no longer used, it’s no longer maintained!
- When Bruce Willis shoots up your server room, where will you go to restore your data?
Consider these points from two angles: think first about how to protect your data from malicious access or being stolen; then, work out how you’ll protect your data against disasters.Controlling un-necessary software installations and limiting access to data will help protect your business from malicious attacks. Some of these controls can be identified in other sections such as change management and access control.
A good disaster recovery plan will protect you from a host of unforeseen events, from a fire in your building to a ransomware attack. This is the most important ‘last line’ of defence any business can have.
Protect your staff, users and clients
You have a duty of care to those you deal with. Avoid liability and PR disasters by protecting them from data breaches. Consider what data you actually need to be carry out your business objectives.
- What information do you need? Never store more private data than necessary. If you don’t need to hold personal details, don’t do it! If you don't have it, you can't leak it!
- How do you handle financial or account information? Don’t write down credit card numbers, talk to your bank or payment gateway about best practices for handling credit card payments.
- Always respect the privacy of their contact details. If you do mass-mail, make sure your mail merge is working correctly. Always use BCC (Blind-Carbon-Copy) when emailing more than one recipient; or, use a dedicated mailing list distribution program.
- Encrypt sensitive data - use ‘full disk encryption’ with secure passwords on your desktop and laptops computers. Use a password or pin on your mobile devices. Make sure that if devices are stolen the data will be hard to retrieve.
- Make sure your software and websites encrypt user’s passwords. If your databases are stolen, you don’t want their passwords to be compromised easily. For common software tools, Google search. E.g. “are WordPress passwords encrypted?” For in-house applications, check with your IT or developers.
- What if Bruce Willis discovers your list of suppliers or clients?
These points will make you consider what responsibilities you have to others. The policy controls that defend your users and clients can be addressed here, or incorporated in to elements such as access control and change management.
Breath life in to your policy documents
Your policy documents should evolve over time. You’ll never capture your business rules in one session, so expect to revisit your policy documents on a regular basis.
- Who can change policy: Management? Security teams? IT staff?
- What do you do when the policy doesn’t work? Don’t just ignore it; re-write it to take in to account the circumstance you find yourself in.
- Try to capture and document foreseeable exceptions to rules and how exceptions should be applied.
- How do you handle strange requests? Requests for payment? Request for access? What checks are in place to make sure they’re legitimate?
- Who must be notified if someone intends on relaxing a policy rule? How should the be notified (phone call? Email? Post-it note?)
- Who can authorise a departure from your business rules? What documentation should be kept when a variation from the rules occurs?
- Keep a register of extraordinary circumstances. How did you handle situations not covered by your existing policy? How should you handle them in future?
- Bruce Willis is unstoppable! When he starts coming after you, you’d better believe he’d keep trying new tactics. How will you adapt?
Communicate policy and train your staffSocialising your new security focus is essential to get support and compliance. Open and regular security discussions also help keep your security focus in mind. Your policy documents should be written so that all of your staff can understand them. Also, consider who needs to be involved in what types of security discussions.
- Encourage discussion about security incidents; process improvements.
- Explain your policies. Don’t just explain what they policy is, discuss why the policy was created.
- Promote informal discussions about recent security breaches. Ask questions of your whole team: “How did it happen”? “What if that happens to us”? Ongoing discussions about security incidents will keep your team up-to-date and raise awareness of emerging threats.
- Find online security resources and articles. Forward them around for reading and discussion.
- Don’t tell Bruce.
Work with ITCyber security planning and implementation will require technical skills. It’s important that your IT department understand what you’re trying to achieve from a business perspective, so they can assist with any changes to technology.
- Engage your IT in your security policy development. Your technology infrastructure is a joint effort; your IT is probably capable of identifying and implementing many technical protections.
- Allow your IT the flexibility of “not knowing”. Certain security technologies may require expert configuration or installation. Your IT partners need to work in their area of expertise.
- Enlist help where required. Depending on the level of expertise in your IT team, it may be more cost effective to use external security specialists to help with certain security technologies.
- Protecting against Bruce Willis damage is a team effort. You’ll need help from your IT, your locksmith, and your insurance company. Work with the resources you have.
- If you are lucky enough to have an IT department, you’ll want to make sure you get them onside. The policy decisions you make will need technical support to implement. For external IT contractors, your policies can dictate their behaviours when onsite, or when working with your clients.
Establish a teamIt’s naive to think that any individual (regardless of expertise) is capable of understanding all of technology and business implications with respect to security. Use the specialties and skills within your organisation to help create and enforce your security rules.
- Identify the talent in your organisation. Who is good at tactical response and incident management? Who knows what technologies you have? Who knows about your business process? Even if it’s just a couple of staff that can meet over lunch to help flesh out a security plan.
- Identify outside contractors and professionals that can help. Who do you trust to access your data? Who can help with your policy discussions? Who has the security expertise to respond to incidents? Who can help implement your IT solutions?
- Make sure the team meets regularly. Briefly discuss the current policies; Identify new scenarios or areas of concern; modify or revoke policies that are obsolete.
- Maybe Chuck Norris is available to help defend against Bruce Willis?
Enforce complianceYou’ve wasted your time if you don’t enforce the policies you’ve created. Frequently clients and management pressure staff to override existing policies: “Ship that orders ASAP”, or “bypass security rules because I forgot my password”.If you have policies to deal with situations, then those policies should be enforced.
- Consider which policies are clearly black and white, there’s no room for interpretation. While others will act as guidelines or checklists. Make it clear which policies are not up for discussion.
- Be reasonable. Try to understand the reason behind policy breaches. Is it due to unrealistic expectations, resistance to change? Is it a bad or broken policy? Or, is it due to laziness or negligence?
- Be clear about remedies. Make sure your teams understand the ramifications of a policy breach. Make sure these remedies are enforced and carried though.
- Invite discussion about changing policy. If a policy is too restrictive it may hinder your business operations. Just make sure you consider the implications of relaxing the policy.
- Don’t let Bruce Willis get in through a back door.
Some deliberate breaches may be unforgivable - picture an aircraft engineer who doesn’t care to observe the policy on: “Safety requirements when attaching new engines to aircraft”.If the risks to your business are catastrophic, you might need to ask yourself whether this person is more of an asset or a liability to you.
Take a moment to consider the serious consequences that may arise from non-compliance. While I always advocate trust, respect and understanding when handling staff, you may identify some breaches that demonstrate extreme negligence – or complete disregard and contempt for your business.
Think like a hackerMany hackers have a unique way of approaching security. They have a way of breaking down defences in to puzzles to be solved. By playing the game yourself you can start to think like a hacker. As you develop policies and go about your business start thinking about security puzzles. How could you defeat a security policy or system?
- When going through security, or examining the processes used by your competitors think about “how could I get around this?”
- Look at locked doors and ask, “can I pick this lock, or is there another way in? Is the loading dock open to the world”?
- Examine other organisation’s security policies as an outsider. When you’re talking to your bank and they ask you questions about your date-of-birth and address, think about whether the questions would be easy to evade? How could you find out the answers to these questions to attack someone (Social media? Telephone books? Social engineering?)
- What would Bruce Willis do?
Don't wait, take your first steps todayIt is often said that security is a process. It requires a clear understanding of what you are trying to achieve, and what technical measures you can implement.The policy questions and discussion points presented here are not rocket science. Developing basic security policies and frameworks won’t need extensive time or resources.
There’s no time like the present. Go (now) and update your passwords and check that your backups are working. Sleep on it, and then tomorrow start developing your cyber security policies.
Take time to document policies, allow a few hours over the course of a few weeks; you’ll be in better shape than most. You’ll have identified and reduced your cyber security risks, and created plans in case things go bad! You’ll have documentation to give your IT teams, insurers, staff, and management. You’ll also have built checklists that streamline many of your business processes.
A cyber security plan will save you time and money in the long run. It will reduce your risks, and could even save your business.