What is a cybersecurity policy?

We are a Managed IT Services Provider in Las Vegas.  Because of this, we have the opportunity to work with many different businesses in many different industries.  A big part of our job is educating our customers about technology and their business. Cybersecurity is at the top of our list, and it starts with a cybersecurity policy.  A cybersecurity policy is a written security document that outlines the strategies and processes that are put in place to help ensure that an organization's security program is clearly defined and supports the business' objectives. These policies and procedures are living documents that are continually evolving and should be consistently updated as they change. These documents determine how to protect an organization from threats and what actions should be taken if a threat should occur. This type of policy is typically called a "Written Information Security Policy" or "WISP."

Why is such a policy important? 

A cybersecurity policy is becoming more critical for companies of all sizes. A good cybersecurity policy or WISP will not only detail how a business protects their cyber information, but it also details what steps to take if an incident occurs. A business that has no plan for the protection of their information, and no plan for responding to an incident, creates a significant amount of potential risk from both criminal prosecution and regulatory agencies or civil penalties.

Cyberattacks and data breaches are becoming more costly to an organization, and the risk is only increasing. You may have seen statistics on the internet giving a percentage of SMBs who close their doors after a security incident. Those statistics have not been proven and have since been removed. However, the risk remains. The PR itself can be detrimental to a business. Loss of trust, loss of customers, loss of productivity, and the loss of executive management focus are just a few risks to consider that can easily cause a business to close its doors. Having a WISP will help focus the company on the proper procedures to protect your technology infrastructure, thus minimizing risk. Of course, if there is an incident, the WISP procedures will reduce the company's overall exposure and provide some protection for denied coverage of any CyberSecurity Insurance provider.

As an IT Services Provider, we are fortunate that we have had very few concerns with any of our clients. We have our WISP, and for the clients that we manage, we flow our policy down to them. However, not all of our clients find it necessary to create their own WISP or train their staff. We recently had a client that was the victim of a sophisticated email phishing scam where a large sum of money was wired to the threat actor. It was a mid-five figure loss and a very expensive lesson. After the investigation by NetEffect, they followed our recommendations. They implemented a cybersecurity policy and a Cyber Insurance Policy, an advanced email security platform, and security awareness training for all staff. There is no guarantee that it will not happen again, but it does significantly reduce the risk, and more importantly, it builds a culture of security awareness in the business.

What, as specifically as possible, should be included in the policy?

The list of what a WISP should include is lengthy. It is not possible to list them all here. However, there are several templates available on the internet. If you do a little searching, you can find them. These agencies are an excellent place to start: NIST, ISO, CIS, and PCI.

Here is a list to get you started:
• Identification of the Designate Person responsible for maintaining and enforcing the plan
• Risk Assessment Requirements
• Employee Training Requirements
• Password and credential guidelines and restrictions
• Internet usage restrictions
• Access controls
• Data storage and security requirements
• Procedures for lost or stolen devices
• Procedures for securing computers and devices
• Procedures Security patches and updates
• Procedures and requirements for backups
• Multi-factor authentication enforcement
• Documentation of security breaches
• Communication plan for incidents

I don't have a cybersecurity policy, what do I do now?

The best thing to do is to reach out to NetEffect.  We will provide a free risk and network assessment to let you know where you stand.