How to develop a cyber security policy

Keeping data safe and out of the hands of cyber criminals is a serious concern for IT professionals and C-level executives across every industry. While there’s good reason cyber security is top of mind for those in charge, the issue should be a priority for all employees in an organization. 

Research shows that breaches are becoming more serious, as cyber criminals continue to target intellectual property. This can potentially put companies’ reputations at risk and increase their financial liability.¹ At the same time, employees and others using a company’s IT systems are often weak links in the cyber security chain. They might share passwords, unwittingly open malicious attachments, use unapproved cloud applications, or neglect to encrypt sensitive files.²

This is where a cyber security policy comes in. The policy’s aim is to ensure everyone plays their part in protecting their organization’s data and defending against losses from cyber attacks. Specifically, it explains the processes and procedures employees and others must follow to protect the organization’s IT systems and data; assigns roles and responsibilities so everyone knows their respective tasks; and details the potential consequences if the policy is ignored or deliberately breached. ³ 

In creating an effective cyber security policy, there’s no one-size-fits-all approach. The content will depend on the specific assets, needs and issues in your organization, which can be identified in a risk assessment. However, there are several common areas to cover, including: 

• Acceptable internet use: Employees, contractors, vendors and others who can access your internet should be educated on safety precautions online. This includes avoiding social engineering scams such as phishing, and recognizing untrustworthy sites, especially those that encourage users to download content, which can be used to infect the device with malware.^4,5

• Creating strong passwords: Weak passwords continue to be one of the biggest security problems that organizations face. Your policy should urge staff to create stronger passwords by outlining specific rules, such as using a combination of upper- and lowercase letters, numbers and special characters, or using the first letter of each word in a sentence to form a unique password.⁶

• Transferring data: Hackers can steal data while it is being transferred. Best practices for safe data transfers include data encryption; using a file-transfer protocol (FTP), which requires a username and password to upload and download files; using secure file-transfer protocol (SFTP), which requires access to a server as well as a username and password; and installing Off the Record (OTR) messaging, which encrypts emails before transferring them. ⁷

• Software updates: Software updates often contain security improvements based on recent viruses and attacks. ⁸ Employees, especially those who are using their own devices for work, should keep their software as current as possible. Best practices include turning on automatic updates for the operating system; using secure web browsers that offer automatic security updates; and keeping browser plug-ins updated.⁹

• Remote work: Remote work brings increased security challenges, as safeguards usually aren’t the same as in the office. Sensitive information can be protected through the establishment of a secure VPN, backups, and encryption, as well as only giving staff access to the information they need to do their jobs. Meanwhile, devices can be protected by practices such as using multi-factor authentication and using password-enabled screen savers. ¹⁰

In addition to best practices for specific areas, your cyber security policy should identify individuals’ roles and responsibilities. This includes who issued the policy, who is responsible for enforcing it, who will train employees on security awareness, who responds to and resolves security incidents and how, and which individuals have admin rights and controls.¹¹

If you’re considering creating a cyber security policy, there are numerous templates available online that can help you get started. Experts also advise taking a look at cyber security regulations when developing a plan to ensure you’re operating within the law.¹² You may want to consult with your organization’s legal experts. 

As the work world continually evolves and cyber threats grow, it’s critical to have a solid cyber security plan in place, as well as other safeguards such as insurance. Contact your broker to see if you need any additional security layers in your cyber coverage. 

¹“Grand Theft Data II – The Drivers and Shifting State of Data Breaches,” McAfee, April 30 2019  
² “How Cybersecurity Policies and Procedures Protect Against Cyberattacks,” MCafee
³ “Creating an internet security policy for your business,” Tech Radar, Aug. 4 2012
^4,6 “How to develop a robust cyber security policy,” IT Governance, Feb. 27 2020 
⁵ “Top 3 Security Flaws with File Sharing Software,” Boost IT
⁷ “5 Ways of Securing Data Transfer,” TechEngage,” Feb. 23 2021
⁸ “Cyber security for small businesses: Why software updates are essential,” Government of Canada, Jan. 2020
⁹ “Cyber Security Basics: Keeping Employee Software Updated,” Red River, March 7 2019
¹⁰ “Security Tips for Remote Workers,” Canadian Centre for Cyber Security, May 2020
^{11, 12} “How to create a successful cyber security policy,” Malwarebytes Labs, updated Jan. 25 2019