Not all businesses have a formal IT policy, and it's something worth doing. The information shared here came from the cyber crime conference I attended last week in Cambridge, held by the county’s PCC. A broader overview of cyber crime in Cambridgeshire can be found in the previous blog post.
What is an IT policy?
You probably already know - a document or collection of documents that set out best practice for staff regarding cyber security, online access, emails, etc.
The aim to to stay safer by educating staff. By having an IT policy, staff should be aware of preventable issues and be able to respond quickly if something is amiss.
How important is it?
We need to do more to protect company data, according to the experts: http://www.cambridge-news.co.uk/Cambridge-companies-beware-cyber-attacks/story-28609175-detail/story.html
According to Cambridgeshire Police, one local medium-sized business went bust due to the extent of a cyber crime, and many companies are victims on a smaller scale (see more in this post).
What should be in an IT policy?
Below are some things to think about:
- Movable storage
What is the policy on storage such as USBs? Can staff bring in personal USBs and use them on a work computer?
Who and where are you buying hardware, software and services from?
Are colleagues allowed to share passwords? Are all desktops and laptops password protected?
- Network and remote access
Can you logon to the network externally?
- Office access
Who can access your office? Employees, cleaners, visitors?
- User privileges
Who has access to what?
- Email links and attachments
Think about a policy on clicking links, or file extensions to be aware of. For example receiving a .exe file from an unexpected source should be a red flag.
Do you keep backups and who is responsible for them?
- Locking devices
Are laptops or towers/monitors left logged in and unattended?
- Two-step authentication
When I hear two-step authentication I think of banks or Googlemail logins, where you have a password and a text, or password and security key.
It is also something else just as useful - literally getting a second authorisation before committing to a payment. A common way of scamming money relies on administrative staff not getting a second authorisation after receiving an email from the boss. This is called CEO spoofing (see more on CEO spoofing in previous blog post).
The policy should also include what to do in the event of a security breach (see previous article for advice on this).
*For the article about the cyber crime conference in Cambridge please click here.