A case for Written Security Policies.
“People sometimes make mistakes.”-David Lightman, Hacker Extraordinaire, WarGames (1983)
David Lightman was correct. People do make mistakes. Joshua knew it. You know it. And the cyber criminals know it. They wait for your employees to make a mistake, then they swoop in to clean out your bank account or steal your data.
According to the Verizon 2019 Data Breach Investigations Report (DBIR), 35% of all breaches are the result of human error. Depending on the industry that you are in, that number can be even higher. This means that your employees most likely represent your biggest vulnerability. However, it also means they can be your best defense if they are trained properly and have good cyber hygiene.
owners, the c-suite and every employee need to know what is required of them to
protect the business’ brand, its bank account and its customers. Everyone in
your company needs to know their role, tasks, and responsibilities in both preventing
and responding to attacks.
So, how do you instruct your employees on how to avoid mistakes? Just as important, how do you train your employees to react when a mistake is made?
The answer is…
Written Security Policies.
Put simply, every company needs to start laying the foundation of their Cyber Security Program with written security policies. The SANS Institute defines a security as, “a well-written strategy on protecting and maintaining availability to your network and its resources.” In other words, security policies are documents that tell employees:
- What to do
- Who is responsible for doing it
- When it needs to be done
Companies commonly use several different types of policies to define their security strategy, such as acceptable use of company assets, how to use mobile devices, how to secure the network, passwords, access control, physical security, and security awareness training.
be a cornerstone of every cyber security program.
Besides being a
“best practice”, written security policies are often required for compliance
purposes. For example, the following is
a list of the most common laws and regulations that require written policies:
SP800-53 & 171
for written policies can also be found in Cyber Insurance Policies. Check those
Convinced you need written policies? Great! Here’s a link to the free SANS templates.
Still not sure you need them? Well, the Verizon 2019 DBIR reports that 43% of all cyberattacks target small businesses. While it is true that the plunders might not be as great as breaching a large company, the bad guys go after small businesses because they don’t have the money or expertise to mount a formidable defense. To make matters worse for SMBs, according to the Ponemon Institute, the average post breach cost for US companies is about $690,000. The amount varies according to the size of the business and its industry, but you get the idea. Unfortunately, for at least 60% of small businesses, that means a breach will also ensure the death of the company within 6 months.
So why don’t more small businesses have cyber security programs built on a foundation of written policies? The answer is simple. Small businesses usually lack:
- Awareness: They don’t know they need them.
- The Expertise: They don’t know how to create them.
- Finances: They don’t have the $$$ needed to spend on professional help.
At URS, we remove these road blocks by offering The URS Policy Genie.
Genie is a low cost, easy to use tool that builds your customized policies for
you. The genie asks you some important questions regarding your business and
its risk appetite. And In under an hour, voila, you have 19 comprehensive
policies delivered to your inbox… all for less than you would typically spend
on 1 policy created by a consultant.
If you have
compliance needs, we also offer PCI, HIPPAA and GDPR versions of the policies
So now you have no excuse! You have the awareness. URS has the expertise you can afford. Reach out to us. Let’s start making your policies together. 610.755.0728 or 800.55.HELPS
Remember, a strong Cybersecurity Program is much more than just a firewall and antivirus. To be prepared for today’s threats, a layered defense (defense in depth), should be implemented by every company, regardless of size.
About Ultimate Risk Services
At URS, we have a layered solution for every need and any budget.
Highlights of our solution are:
- Helps you navigate the Cybersecurity maze.
- Budget friendly! Available as a low cost monthly subscription.
- Something for everyone! Subscription levels designed with small business in mind. Robust enough to scale to large enterprises.
- Does not require fulltime IT staff.
- Gives you peace of mind.
So how does it work? What does the subscription give you?
Depending on your subscription level, your 5 Steps may include:
- An “Always On” Unified Security Management system that safeguards your network, systems, users, and data
- Security Policies and Plans created via an easy to use Online Wizard
- Customizable Online Training
- Automated Hardware and Software Inventory Tool
- Automated Vulnerability Assessments
- A Breach Coach for when the bad guys get in
- Much more
To take a deeper look into our five steps click here.
Want to speak with one of our experts? Or are you ready to protect your assets now? Contact us at:
610.755.0728 or 800.55.HELPS