Does your business have a written cybersecurity procedure? If not, it should.

Cybersecurity is an important issue not only for IT departments but should be important to all members of your organization’s team, from the C-Suite on down to entry level employees. Keeping your data safe, and protecting the data of your clients, is of upmost importance. Having a cybersecurity policy in place helps set the standards for behavior online, from email best practices to restrictions on the use of social media. Your cybersecurity policy should be included in your business continuity plan.

Oftentimes, employees are the weakest link in an organization’s security. Without proper training, they can share passwords, click on malicious links in emails, use unapproved cloud applications, and neglect to encrypt sensitive files. According to McAfee, it was found that 43% of data that was leaked was due to people inside organizations and half of those leaks were completely accidental. By properly training your employees and making sure that your organization’s cybersecurity policies are written out, your entire team can better understand how to best protect your sensitive information.

What should be included in a Cybersecurity policy?

A cybersecurity policy should outline how to:

• Identify Risks
• Protect Information
• Detect Threats
• Respond and Recover

In order to identify risks, make sure you have:

• An annual assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of Confidential Personal Information.
• Create an inventory of all computers, laptops, mobile devices, flash drives, disks, home computers, digital copiers, and other equipment used by the organization.
• Locate and identify sensitive data and identify on which device(s) the data is stored. Also record which employee has access to the data.
• Identify client information transmitted via email, cloud services, firm websites, custodians, and other third-party vendors.

In order to protect your data, make sure you:

• Establish authentication procedures for employee access to email on all devices.
• Passwords for access to email are changed frequently (e.g. monthly, quarterly).
• Client instructions received via email are authenticated.
• Due diligence has been conducted on the cloud service providers, custodians and other third-party vendors and evaluated as to whether they have documented safeguards against breaches.
• All records are backed up off-site.
• Address data security and/or encryption requirements when transmitting information.

To best detect threats:

• Use anti-virus software on all devices accessing the firm’s network, including mobile phones. Anti-virus updates are run on a regular and continuous basis.
• Employees are trained and educated on the basic function of anti-virus programs and how to report potential malicious events such as phishing and ransomware.

In order to best respond and recover, make sure you have:

• A plan and procedure in place to immediately notify authorities and clients in the case of a security incident or breach.
• A business continuity plan to implement in the event of a cybersecurity event.
• A process for retrieving backed up data and archival copies of information.
• Policies and procedures for employees regarding the storage and archival of information.

If you need help making sure that all your organization’s cybersecurity bases are covered, contact pim today!