WATCH The Importance of Cybersecurity Policies – Day 26 of Cybersecurity Awareness Month
Shelly Miller 00:06
We enjoy a free country governed by the rules of law, which is written for us. So we know what should do and what we should not do. I mean, I think back to when I took Driver’s Ed and study drive a driving manual to get my driver’s license. So why then don’t more businesses have written rules or governance policies outlining acceptable behaviors, and requirements for operating computers and securing the data in our businesses from compromised and harm?
With us to dive into this question today is Craig Taylor, CEO and Co Founder of CyberHoot and awareness training and cybersecurity program service in the cloud. Craig, why do businesses need cybersecurity policies?
Craig Taylor 00:44
Well, I appreciate that question very much. We have policies that we watch and read the rules of the road for how to drive, but we don’t have them in most companies for how to operate a computer.
And yes, you can drive a car and kill somebody, if you’re not paying attention, you don’t know what you’re doing. But computers can lead to the death of our companies if we infect ourselves with ransomware, or something along those lines. So policies that help guide your employees, governance policies, and in the cybersecurity space are really helpful for setting high level expectations with your employees on their expected behaviors relating to technology and the operation of a computer, you have in this graphic in front of you other documents that are needed to run a business with control objective standard procedures and guidelines.
But at the beginning, any company should be looking at rolling out a set of governance policies. And to explain that a little bit better to understand that I want to explain for you the difference between discretionary and mandatory controls. Because technology plays heavily into that on the mandatory side. But governance policies play heavily into that on the discretionary side.
So for example, discretionary controls are actions and behaviors freely decided or acted upon by your own employees at their free will. Mandatory controls are actions, behaviors that are imposed upon them are controlled by the technology. If you remove administrative access from your users at your company, which I highly recommend, they can’t install any software of their own, they need to get the IT department to do it. That’s a mandatory control. But if they have that administrative access, they can install anything they want from anywhere at their discretion, and that could be a really significant property are probably
Shelly Miller 02:35
Okay. So for example, a discretionary control while I’m driving is the speed limit. Unlike most others, I can honor the speed limit if I want to, but at my discretion, it’s my choice. So Craig, what’s an example of a mandatory control while while driving?
Craig Taylor 02:52
So that’s a great question. So on the one hand, the speed limits your discretion. On the other hand, a mandatory control is a governor, which is often installed on rental vehicles that limit how fast you can drive. That’s a good example of the difference between discretionary mandatory and it’s a, it’s a good analogy for technology and the administrative rights that I just spoke about.
So allowing everyone administrative access to their computer, gives them discretionary control to do anything, and anything they want. And some of that could be quite harmful. Not purposefully, but accidentally. On the other hand, taking it away, can make it more secure by having a mandatory control.
Shelly Miller 03:39
Okay, that makes perfect sense. So now back to cybersecurity policies, why do I need them and what should I focus on for my MSP or my small business? Good question.
Craig Taylor 03:49
And almost every company we walk into to do cybersecurity program development under the CyberHoot vCISO program, we start with four policies and two processes. The policies are a password policy, a acceptable use of computers, policy, a written information security policy, and an information handling policy.
These outline the discretionary controls that employees must follow. And I’ll give you two examples. password policies have requirements around the length of passwords, storing those passwords in a password manager, and enabling two factor authentication. If you sign up for a SaaS application in the cloud, your company might not have control over that. And if you pick your weakest password that you’ve used in 25 other places to access that critical cloud application maybe it’s Salesforce or something else, you’re putting your company at risk, and therefore the password policy is meant to remind you and set high level objectives that you need to choose a 14 character password for Salesforce and put it into your password manager which allows it to be a unique password and then perhaps even tie two factor authentication to that account.
On the information handling side. We have prescriptions in there that are all all discretionary for you. If you’re an accounting firm or a tax firm, and you’ve got people’s social security numbers in their tax returns in their financial data, you need to shred that when it’s no longer needed when that file is closed, and it’s no never going to be referenced again, shred those documents.
And while you’re using it, you know, have it out on your desk when you’re doing the tax return for your employee. But if you go to lunch, put it away, lock it up. You don’t want to have someone or overnight you don’t want the cleaning staff to come in and take photographs of all the identity information and steal your clients identity because it will be tracked back to your firm.
And that could be a real devastating event for your brand damage. So in summary, policies allow you to set high level expectations with your employees on protecting the data entrusted to your company and to them when technology can’t over time. Those are augmented by control objective standards, procedures and guidelines right.
However, by setting these policy requirements, you can help employees make independent decisions to protect your company in very important ways and hopefully reduce the chance of a compromise.
Shelly Miller 06:19
Okay, very good.