• A cyber policy document is essential to all businesses, but needs careful consideration in order to be useful

• Companies that grow become more complex, and approaches to managing behaviours and information need to adapt

• Covid-19’s work-from-home paradigm means committing staff to enhanced policies and awareness of security

Most organisations rely on hardware such as mobile phones, computers and servers, as well as cloud-based systems including email, messaging and the web. But not all consider implementing a secure cyber-security policy. Not doing so risks ineffective management of the dangers inherent in modern technology, most notably the threats posed by hackers, and even fraudsters inside the organisation.

“Larger businesses may have a full suite of information security policies, but even the smallest organisation should have a clear document that holds individuals to account,” says Neil Bellamy, Head of Technology, Media, Telecoms and Services at the bank. This document should cover their behaviour and activities so they know what they can, must and must not do when it comes to their employer’s information and systems.

“Policies are not only protective of the organisation and the individual; your clients need safeguarding, too, and regulations such as the UK Data Protection Act 2018, and the Payment Card Industry Data Security Standard (PCI DSS) are designed to protect all kinds of stakeholders.”

So, what tips should businesses bear in mind? Here are some need-to-knows.

At its core, your cyber-security policy is a commitment to doing the right thing. It need not dictate every procedure, but it should demonstrate that you manage data and systems properly. As with any business activity, in cyber security it’s crucial to identify what must be done and who will do it. The identification of the people, processes, and technology involved will demonstrate that you have taken it seriously. Mapping this out is key to deciding some of the next steps.

“Overall responsibility for the policy should sit with a senior manager or team member who has a broad view of all the risks and how to tackle them,” says Neil. He adds that, from that point, everyone is responsible for following the policy so that the organisation can maintain security. From executives and employees, to contractual third parties and agents, anyone who has access to a business’s information systems should adhere to the policy’s requirements.

A good security policy is about striking a balance: including enough detail to make it effective, but not covering so much that people never read or refer to it. Business continuity is part of operational resilience, so realistic plans will need to be made and tested regularly, and the document may need to be amended and edited accordingly. Tim Rawlins, Senior Adviser at NCC Group recommends including the following three elements:

• Committing all relevant parties to all legal and regulatory requirements

• Committing to train your staff and provide resources (people, processes and technology) to support, deliver and test your processes and technology to ensure they are secure throughout the lifecycle of the information

• Reporting and investigating security incidents and near misses to reduce the risk of repeat incidents and treating them as a shared enterprise among all staff and contractors. Failure to follow the policy may lead to disciplinary action and potentially to criminal or other sanctions

 “As an organisation grows, so it outgrows the usefulness of just the one cyber policy document,” explains Neil. He adds that there are lots of other approaches and policies you should consider to make everyday activities and behaviours manageable. “Don’t forget that training and awareness of these policies will require a commitment from the leadership and staff to see them made effective.”

So as an organisation expands, what else might it consider?

Acceptable use: This makes clear that facilities, equipment, systems, and data shall only be used and accessed in acceptable ways that ensure the confidentiality, integrity, and availability of the information. Systems and IT equipment are provided for business use, but the organisation recognises there are times when staff will need to complete personal tasks online. “Any reasonable personal use of equipment is permitted so long as it does not bring the organisation into disrepute nor violate any laws or regulations,” says Tim.

Access control: This is where the policy limits an individual’s access to places, data, and systems that they need to do their required job and nothing more. This is often known as “least privilege” and is designed to stop people reading, downloading, changing, or deleting certain information.

Back-up and recovery: This is to set out the requirements for backing up, and accessing backed-up data, so that information is protected. This policy has become increasingly important, given the high-profile and reputation-damaging nature of some ransomware attacks. “With a good offline back-up, taken regularly, stored safely, and tested so that you know it works, it is possible to recover from an attack far faster and more safely than paying a ransom to a criminal to retrieve information,” adds Neil. 

Business continuity: This commits the manager of networks and systems to minimise the risk of loss of services, and, in the event of an incident, implement the recovery plan to support the business’s needs. With the rise of ransomware, planning for a longer-term  disruption to core IT services – from hours or days in the past to weeks or months – is crucial.

Data protection, retention and destruction: Data should be protected in proportion to its sensitivity and value and processed in line with legal and regulations. “A policy or procedure for this is therefore vital,” explains Tim. “This includes keeping it only as long as necessary and destroying it safely when it is no longer needed.” 

Remote working: Given that homeworking has become more prevalent since the pandemic began, many organisations have had to create remote-working policies. “This has frequently been done under great pressure and has let security standards slip,” says Neil. “This security debt needs to be paid back with resources and investment.” Setting an effective remote-working policy means focusing on the physical security of data and equipment. “Don’t overlook printing out material, and ensure staff are reminded about prying eyes and eavesdroppers, particularly on confidential business calls and in online meetings.”

Supplier management: As businesses grow, they tend to rely on third parties for elements of business activity. So a secure policy requiring the effective selection, due diligence, and management of those suppliers is essential. If using software as a service (SaaS), ensure that, if something happens to the supplier, your organisation can still access the information it needs. “Applications and data should be managed with an effective escrow,” advises Neil. “To many organisations, this means keeping its operations going and insulation from reputation damage.”

For more information on cyber security services, visit NCC Group.

This article was written in collaboration with NCC Group Software Resilience, the world's largest Software Escrow provider. Visit their insight blog for actionable resources and helpful information.