Oops! My Bad!

A case for Written Security Policies.

David Lightman was correct. People do make mistakes. Joshua knew it. You know it. And the cyber criminals know it. They wait for your employees to make a mistake, then they swoop in to clean out your bank account or steal your data.

According to the Verizon 2019 Data Breach Investigations Report (DBIR), 35% of all breaches are the result of human error. Depending on the industry that you are in, that number can be even higher. This means that your employees most likely represent your biggest vulnerability. However, it also means they can be your best defense if they are trained properly and have good cyber hygiene.

Business owners, the c-suite and every employee need to know what is required of them to protect the business’ brand, its bank account and its customers. Everyone in your company needs to know their role, tasks, and responsibilities in both preventing and responding to attacks.

So, how do you instruct your employees on how to avoid mistakes?  Just as important, how do you train your employees to react when a mistake is made?

The answer is… Written Security Policies.

Put simply, every company needs to start laying the foundation of their Cyber Security Program with written security policies.  The SANS Institute defines a security as, “a well-written strategy on protecting and maintaining availability to your network and its resources.” In other words, security policies are documents that tell employees:

• What to do

• Who is responsible for doing it

• When it needs to be done

Companies commonly use several different types of policies to define their security strategy,  such as acceptable use of company assets, how to use mobile devices, how to secure the network, passwords, access control, physical security, and security awareness training.

Policies should be a cornerstone of every cyber security program.

Besides being a “best practice”, written security policies are often required for compliance purposes.  For example, the following is a list of the most common laws and regulations that require written policies:

• NIST SP800-53 & 171

• PCI v3.2.1

• HIPAA

• GDPR

• 23 NYCRR 500

Requirements for written policies can also be found in Cyber Insurance Policies. Check those exclusions!

Convinced you need written policies?  Great!  Here’s a link to the free SANS templates.

Still not sure you need them? Well, the Verizon 2019 DBIR reports that 43% of all cyberattacks target small businesses. While it is true that the plunders might not be as great as breaching a large company, the bad guys go after small businesses because they don’t have the money or expertise to mount a formidable defense. To make matters worse for SMBs, according to the Ponemon Institute, the average post breach cost for US companies is about $690,000. The amount varies according to the size of the business and its industry, but you get the idea. Unfortunately, for at least 60% of small businesses, that means a breach will also ensure the death of the company within 6 months.

So why don’t more small businesses have cyber security programs built on a foundation of written policies?  The answer is simple.  Small businesses usually lack:

• Awareness:  They don’t know they need them.

• The Expertise: They don’t know how to create them.

• Finances: They don’t have the $$$ needed to spend on professional help.

At URS, we remove these road blocks by offering The URS Policy Genie.

The Policy Genie is a low cost, easy to use tool that builds your customized policies for you. The genie asks you some important questions regarding your business and its risk appetite. And In under an hour, voila, you have 19 comprehensive policies delivered to your inbox… all for less than you would typically spend on 1 policy created by a consultant.

If you have compliance needs, we also offer PCI, HIPPAA and GDPR versions of the policies as well.

So now you have no excuse!  You have the awareness.  URS has the expertise you can afford.  Reach out to us.  Let’s start making your policies together. 610.755.0728 or 800.55.HELPS

Remember, a strong Cybersecurity Program is much more than just a firewall and antivirus. To be prepared for today’s threats,  a layered defense (defense in depth), should be implemented by every company, regardless of size.

About Ultimate Risk Services

At URS, we have a layered solution for every need and any budget.

Highlights of our solution are:

• Helps you navigate the Cybersecurity maze.

• Budget friendly! Available as a low cost monthly subscription.

• Something for everyone! Subscription levels designed with small business in mind. Robust enough to scale to large enterprises.

• Does not require fulltime IT staff.

• Gives you peace of mind.

So how does it work?  What does the subscription give you?

Depending on your subscription level, your 5 Steps may include:

• An “Always On” Unified Security Management system that safeguards your network, systems, users, and data

• Security Policies and Plans created via an easy to use Online Wizard

• Customizable Online Training

• Automated Hardware and Software Inventory Tool

• Automated Vulnerability Assessments

• A Breach Coach for when the bad guys get in

• Much more

To take a deeper look into our five steps click here.

Want to speak with one of our experts?  Or are you ready to protect your assets now? Contact us at:

610.755.0728 or 800.55.HELPS