What Needs to be Included in Your IT Security Policy?

IT security

May 20, 2019

Every modern business needs an IT security policy. This can seem like a daunting task for companies that do not focus on technology or security, but creating a comprehensive security strategy is actually quite simple. We will dive into what points need to be included in every IT security policy and our reasoning behind these specifications.

Include all electronics

"In a recent study, nearly 90% of enterprises say they have suffered at least one data loss through unsecured printing."
– Affinity Enterprises

Most of the technology we rely on to run our business are connected to bigger systems, also known as the Internet of Things (IoT). This integration provides greater access and flexibility within our electronics but also expands the risk potential associated with all our devices. Even technology that you wouldn't normally associate with IT needs to be included because they can expose your business information if ignored. Copiers, for example, save scanned and printed information in their memory, and modern phone systems contain features connected to your emails and other internal correspondence. Even thermostats (if controlled virtually via WIFI) can and have been hacked. Criminals can control your company's temperatures, raising or lowering them to unbearable degrees until a ransom has been paid.

Stay up-to-date

"Businesses typically took 38 days to patch/upgrade web application vulnerabilities regardless of severity"
– Security Report for In-Production Web Applications

We'll be honest; software updates are frustrating. If they do not require you to restart your device then they temporarily slow your programs down. They can even permanently decrease performance if your electronics are old. However, they are necessary for your technology's security, because holding off updates significantly increases your cybersecurity risk. Software updates include patches that enforce and improve your programs' security, keeping your technology up-to-date with the latest threats and strategy used by hackers. Occasionally, developers decide to stop updating software in a process known as End of Support or End of Life. When this happens, software is left vulnerable because it is no longer capable of receiving security updates. An example of this occurred in 2017, when Windows XP experienced End of Life and afterwards users had their information held for ransom by the WannaCry ransomware cryptoworm.

Continual education

According to the 2018 Cost of Data Breach, 25% of data breaches in the U.S. are triggered by human error.

"I didn't go to school for this!" Protests aside, your employees need to know that your company's IT is not only the responsibility of your IT department or IT service provider; it is up to everyone to be engaged in secure business practices. Luckily, front end IT security is not a very complicated skill to learn. Updating passwords, watching out for phishy emails, and knowing the signs of a data breach should be par for the course for your employees. Continual email reminders, interactive quizzes, and presentations are a few ways you can and should keep cybersecurity education active within your organization.

Plan ahead

"There are 3,776,738 data breaches per day" – Backupify.com

We won't say that a breach is inevitable, but we will say that you should act like it is. If a breach is detected your IT professionals or service providers should be able to act immediately to solve the problem. The longer a breach goes undetected, the more business information and programs a criminal can get access to, hold for ransom, and create downtime for your business. A backup and recovery solution is necessary to reduce these damages and get your company up and running as soon as possible afterwards.

The majority of small and medium sized businesses have a single employee responsible for their IT which means that, unless that person is an insomniac workaholic, your systems are left unmonitored more often than not – a very dangerous position to be in from a security perspective. Milner's Managed IT Service provides employee training, 24/7/365 network monitoring, and unlimited expert support from our Network Operations Center.

Unsure if your network is secure? Schedule a free network assessment with us today to get insight on your network's infrastructure or contact a Milner expert today. 

Talk to an Expert