A recent report from Kaspersky paints a grim picture of the state of cybercrime. Two global ransomware attacks, WannaCry and Petya, were carried out in the first half of 2017. Overall, the number of ransomware attacks increased 11.4 percent in the past 12 months. Those who paid the Petya ransom learned the hard way that hackers don’t always deliver on their promise to restore access to blocked systems and data after the ransom is paid.
Nobody is immune to ransomware attacks. Large enterprises, small businesses, hospitals, educational institutions and government agencies have all been victims. Organizations recognize the seriousness of these threats, and many have implemented new security tools to improve their defenses.
However, security tools have limited value if you don’t have an overarching security strategy. Ransomware attacks are typically launched via email and prey on human error and carelessness. Hackers using ransomware don’t try to break into the network. They trick humans into opening the door for them.
That’s why every organization needs IT policies that serve as the foundation for the security strategy. IT policies reduce the risk of security and compliance issues by providing detailed procedures and instructions for using and managing IT services and tools.
Here are nine IT policies every business should have.
- Acceptable Use Policy. Developed in collaboration with the legal department, this policy defines all IT services and assets and the appropriate way to use them. It lays out the rules for everything from accessing and sharing data to legitimate business reasons for using technology.
- Security Awareness. This high-level policy explains the importance of early detection and mitigation of security incidents and outlines mandatory security training. It also educates employees about the consequences of their actions when it comes to security.
- Information Security. This policy identifies the people, processes and technology of the security and risk management programs. Who is responsible for IT security? What tools are included? What are the processes for managing and securing information and assets?
- Business Continuity. In case of disaster or cyberattack, this policy explains the steps to follow to notify affected parties and restore access to critical business systems, applications and data in order to minimize business disruption. This plan must be tested regularly.
- Change Management. This policy ensures that technology updates, modifications, replacements and other changes are properly defined, approved and tracked.
- Incident Response. Related to business continuity, this policy defines what a security incident is and how an organization will detect, investigate and address such an incident. It also includes the process of updating the security strategy to prevent similar attacks in the future.
- Remote Access. With distributed enterprises and remote workforces, organizations need a policy that defines standard procedures for remotely accessing the company network. You should have a separate policy for vendors who access your network, if applicable.
- Bring Your Own Device. This policy explains the rules for using employee-owned devices for work purposes, including but not limited to a list of approved devices, operating systems and software, how to report lost or stolen devices, and how to separate personal and corporate data.
- Data Backup, Retention and Disposal. How frequently should data be backed up? How long should data be retained? When data is no longer needed, what is the process for secure disposal?
In the next post, we’ll discuss steps to follow and factors to consider when developing IT policies.
