Quick! Grab the fire extinguisher! Lisa. In accounting. Her hair is on FIRE!
You would probably know what to do in this situation - grab the fire extinguisher. Someone else has already called 911.
But what if your company experiences an information security threat?
A team member finds a USB in the parking lot. Intending to return it to its rightful owner, they plug it into a company computer, and then it happens.
Ransomware is installed, threatening to take hold of the company’s entire network. The whole company is at risk. What should this team member do? Who should they call? And who is in charge of grabbing the fire extinguisher? If you can’t answer these questions, you aren’t alone.
According to CISCO’s annual cybersecurity readiness index report in 2023, less than 15% of companies in the US were considered to be at a mature level of preparedness to handle a security risk. Chances are that your company wasn’t one of them.
So, what can you do to remedy this? How can your company and team prepare to handle a security threat? The answer: Information Security Policies and Procedures.
What is Information Security?
Information Security, or InfoSec, is an umbrella term for the tools, policies, and procedures that companies use to secure their physical and digital information.
Having documented policies and procedures in place helps you and your team navigate when something unexpected occurs. Whether it’s a malicious USB, phishing email, scam call, or any other tactic, having a step-by-step guide to follow can help you and your team feel more prepared to handle a security threat and maintain business continuity, so you don’t have a “hair-on-fire” moment.
What are policies and procedures?
In simple terms, a policy is a rule, and a procedure is the action behind it.
For example, a company’s policy might state that any and all suspicious computer activity must be reported to the IT department. The procedure behind this policy might be for the employee experiencing the ransomware download to immediately call the IT department and inform them about the situation.
Upon hearing the severity of the problem, the IT department then deploys their procedures. They advise the employee, notify the rest of the company, and contact the Information Security Officer. These procedures continue down the line until the issue is resolved or mitigated.
It seems practical and easy to remember: Experiencing suspicious activity on your computer? Call the IT department! But you’d be surprised how something the company told you on your first day on the job is quickly forgotten when faced with an immediate crisis because the policy hasn’t been repeated, and the procedure hasn’t been practiced.
That’s why it is necessary to have a policy and procedures document easily accessible for every employee. They can look up their problem and take immediate action. The sooner the company is alerted to the problem, the sooner it can be addressed, and the sooner the risk can be managed.
Why is it essential to document policies and procedures?
Writing and implementing your company’s policies and procedures can be time-consuming and overwhelming. It’s a heavy subject, and if your company doesn’t have an in-house security officer or team, you might think hiring outside consultation will be pricey. But if you don’t spend money now, it may cost you your entire company. It sounds dramatic, but if a malicious USB can infiltrate your company’s entire network, it can access information about your company, vendors, clients, and more. It puts your company’s reputation on the line as well as its financial liability.
Documenting your policies and procedures is about setting down clear objectives and expectations for when your company faces a security risk. Should one of these “set-your-hair-on-fire" moments happen, it gives you the steps for business continuity, disaster recovery, risk management, and incident response, ultimately helping you extinguish the fire.
What Should be Included?
Business Continuity
Things happen, whether it’s a cybersecurity attack or a natural disaster, but that shouldn’t stop your business from running. That’s where a business continuity plan comes into play. Business continuity is a company’s ability to maintain or resume a deliverable product or service after a disruption.
Consider what your company would need to maintain its deliverable products or services after a security breach. What contingencies would need to be put into place if you experienced a prolonged power outage? Or if your business needed to move to a different location? These scenarios and more should be accounted for and outlined in your policies and procedures under a business continuity plan or strategy.
Disaster Recovery
While a business continuity plan outlines the steps to keep your business going, a disaster recovery plan puts those steps into action. It considers what measures your business needs to maintain its operations and how quickly business can return to normal.
Consistently having data backup schedules and updated hardware inventories helps this process and minimizes the impact a security threat could have on your business.
Risk Management
How Risky is your business? Ok, probably not Tom Cruise in his underwear risky, but every business has a level of risk. Business risk is dependent on many factors and should be considered realistically. All businesses have some form of acceptable risk. We can consider it a “how many hairs are allowed to be on fire” level, or maybe just a slight burning bleach treatment level is acceptable. You decide.
Risk management is about identifying, assessing, and treating risks related to the IT portion of your business. Think about your company’s golden eggs, crown jewels, the meat of the matter, aka your business assets. Those assets need to be protected.
During a risk assessment, these assets are identified, along with their vulnerabilities and potential threats. Some assets may already have a specific control placed over them to resolve or mitigate a threat, while other assets could still be vulnerable. Knowing these key variables will aid in planning a risk management strategy and help you maintain or eliminate your “hair-on-fire” level.
Incident Response
On your mark, get set, respond! Well, in this case, prepared and steady wins the race.
A company’s processes for responding to a security risk, cybersecurity breach, or cybersecurity threat is called incident response. Usually, a plan is put together by the Chief Information Security Officer or information security team to identify and utilize the best tools and practices in the event of an incident.
The goal of an incident response plan is to anticipate cybersecurity attacks and prevent them from happening, thus minimizing disruption of your company’s daily processes and financial liability.
Who Should Write the Policies and Procedures?
For a thorough analysis and audit of your business’ risk, it’s best to leave it to the professionals to get solid documentation in place. If you have an in-house or contracted Chief Information Security Officer, they should advise you on what’s best for your business. Another option is hiring a reputable contractor if you don’t have a team of Information Security professionals at your disposal.
When Should Your Company’s Policies and Procedures be Written?
Now. Three minutes from now. Scratch that. They should have been written at the start of your company. But don’t panic!
Remember that 15% figure from earlier? There are a whole slew of businesses operating at less than mature levels, and possibly non-existent levels, of preparedness for a security threat. That doesn’t mean they aren’t going to experience a “hair-on-fire” moment in the future. It also doesn’t mean it’s too late to write your company’s policies and procedures. The best time to get started is now.
The Results of Having Your Company’s Policies and Procedures in Place
Lisa set her hair on fire, but it’s been handled in stride. Having the right plans, tools, and people in place, aka policies and procedures, has allowed Lisa to walk away with only some frayed ends. Also, let’s implement an “only sniff the candles when they aren’t lit” policy. It seems obvious now, but you know, we’re always learning.
Having your information security policies in place and practicing the procedures will put your company well on its way to being resilient. This will make it more adaptable and prepared when an incident occurs. Your business also becomes easier to audit and has a better foundation for your organization to stand on.
If writing and implementing your company’s policies and procedures seems daunting, contact us! We help businesses like yours with documentation, actionable steps, and practices so no one’s hair is completely inflamed when an incident occurs.
