Back to Blog

Making Sure Your Policies are Up to Date

Image of EJ Phillips
EJ Phillips

As we continue in the new year, it is vital to make sure that your organization has all its technology policies up to date. As the pandemic continues to change the way we live and work, your business policies should reflect that so that your organization is able to grow and thrive.

Technology Policies to Review Annually:

  1. Disaster Recovery Plan
  2. Work from Home Policy
  3. Bring Your Own Device (BYOD) Policy

Disaster Recovery Plan

A disaster recovery plan (DRP) ensures that all of your systems, data and personnel are protected. It is a vital part of business continuity. Making sure that your organization has identified and defined its disaster recovery strategies could make or break your ability to pivot quickly in the event of an emergency or data breach.

download business continuity eBook

A disaster recovery strategy will begin with determining what applications are vital to keeping your organization running. From this strategy, you can develop a plan to describe how you intend to keep those important applications functioning.

When determining your business’s recovery strategy, you should consider your budget, insurance, resources (both people and physical facilities), technology, data, vendors and suppliers, and any applicable compliance requirements. Your recovery strategy should also align with the overall mission and goals for your organization.

elements of a distaster recovery plan

Types of Disaster Recovery Plans:

DRPs can and should be specific to your organizational context. Some specific examples for DRPs includes Network DRPs, Cloud DRPs, Data Center DRPs, and Virtualized DRPs.

Developing Your Disaster Recovery Plan:

A DRP can be very basic or exhaustive. A DRP checklist includes identifying critical IT systems and networks, prioritizing which systems are most crucial for business operations, and outlining the necessary steps required to restart, reconfigure, and recover systems and networks. All employees should have a basic knowledge of the emergency steps to take in the event of an incident or breach.

A good disaster recovery plan is constantly evolving, taking into account new people, processes, and technology and should seek the input and engagement of an entire organization from the top down.

Work From Home Policy

As more organizations adjust to having a portion of their workforce work remotely (either full time or hybrid), it is important to be aware how this can increase the risk for cyberattacks.

What an Employer Should Do When Offering WFH

  • REVIEW overall IT setup. This may include a network audit that looks at your physical network, VPN configurations, devices, ports, etc.
  • REQUIRE employee security training. IBM reports that 95% of cybersecurity breaches are caused by human error.
  • HEIGHTEN security on VPN connections and remote access.
  • MANDATE password policies and strong protection measures. According to LastPass, 66% of all people use the same password on multiple accounts.
  • ESTABLISH multi-factor authentication.
  • UPDATE security software to protect against phishing emails and ransomware. Phishing scams remain the top attack on businesses of every size.
  • SETUP proper firewall configurations and endpoint protections. According to Security Magazine, 70% of breaches occur at endpoints.
  • DISTRIBUTE company issued devices secured and controlled by IT or implement a robust BYOD policy.
  • BACKUP data in a centralized cloud to allow for team access while managing and protecting data.
  • PREPARE a disaster recovery plan to be able to quickly deploy remediation measures. It is more about when you will be breached rather than if, and, according to IBM, the average lifecycle of a breach is 314 days from the breach to containment.

What Should an Employee Be Responsible for When WFH

  • BE AWARE and stay vigilant as there is a much greater threat landscape today. Be mindful of phishing scams.
  • SECURE home WiFi routers and change default equipment passwords.
  • LOCK all devices.
  • CREATE hard to guess logins and passwords. Do not use the same credentials for multiple accounts as if one gets breached, they all do. Change your passwords at least every 90 days.
  • SET UP multi-factor authentication. According to LastPass, only 37% of people use multi-factor authentication at work.
  • FOLLOW all company policies. Pay close attention to IT notifications and install updates immediately. The 2020 Cyber Hygiene Report states that “almost 60% of data breaches in the past two years were caused by missing security patches."
  • ACCESS and save all data in the company storage system, such as SharePoint.
  • AVOID working on open WiFi networks and create a guest WiFi network if you are sharing your internet with your household.

BYOD Policy

A BYOD policy enables your employees to use their own devices—smartphones, tablets, laptops, etc.—for work. It is a growing trend in the workplace, but for the safety of your organization, there are a number of things you should address in order to reduce risk, increase security, and to enhance the employee experience.

A well-designed BYOD policy can save your business time and money (and headaches!). Here are pim’s recommendations for an effective BYOD Policy.

pim.info.BYOD.aug2021 (1)

Passwords

Having password protections on devices should be non-negotiable. We also recommend using multi-factor authentication as often as possible and changing your passwords every 90 days.

Employee Privacy

Company data belongs to the company. But this information is held upon a privately owned device. How much right to privacy does this employee have if their personal data sits next to sensitive client data? A thorough BYOD policy needs to address how you protect your company data while also ensuring the privacy of your employees. Some companies choose to tell their employees to expect no privacy when using personal devices for work purposes.

Data Transfer Provisions

All company data should be encrypted, password protected, and only transferred on company approved applications.

Proper Maintenance

Your BYOD policy should mandate that employees keep their personal devices used for work up to date with security patches and updates. These updates help provide protection from known risks. Keeping devices and applications up-to-date is part of overall digital security.

Approved Applications

Make sure that your team has a list of approved devices, or else your employees may establish their own apps to use. Make sure to include all appropriate applications that secure messaging, email, and your CRM. Make sure also to include a list of forbidden apps, if you choose to forbid some applications.

Provisions in the Event of Termination

Procedures should be in place in your BYOD policy that outline how company data is to be removed from personal devices. Furthermore, upon any termination, an organization is obliged to ensure that all company data is removed from all devices and all permissions from company applications should be revoked.

Make sure that all of your policies—be they disaster recovery, work from home, or bring your own device are easy to understand. This will enable you to get greater buy in from all stakeholders and better secure your client data and networks.


Related Posts

Securing a Remote Workforce

Image of EJ Phillips
EJ Phillips

We are fortunate to have today’s advanced technologies that allow so many of businesses to offer...

Read more

Employees are Your First Line of Cybersecurity Defense

Image of EJ Phillips
EJ Phillips

Making sure that your team of employees is cyber aware is more critical now than ever before....

Read more