10 Things to Include in Your Employee Cyber Security Policy

Author: Randy Abrams, Sr. Security Analyst, OPSWAT.

When addressing cyber security threats, insider threats have come to the forefront. Insider threats are one of the leading causes of breaches. However, insider threat does not mean the insider has malicious intent. Much of the time the threat is the unwitting user making a mistake, such as acting on a phishing email, which in turn leads to a breach. According to the Dtex Systems 2019 Insider Threat Intelligence report, 64% of insider threats were caused by careless behavior or human error. Insider threats go beyond falling for phishing attacks. The 2019 IBM X-Force Threats Intelligence Index lists misconfigured systems, servers, and cloud environments as one of the two most common ways that inadvertent insiders leave organizations open to attack. You cannot eliminate human error, however by providing clear cyber security guidelines and regular employee training, the frequency and severity of incidents can be reduced.

The first step in reducing the role of human error in cyber security incidents is to set up a cyber security policy and to provide education for employees to teach the do's and don'ts of cyber security. Here is a list of ten points to include in your policy to help you get started.

1. Emphasize the Importance of Cyber Security

Start off by explaining why cyber security is important and what the potential risks are. Stolen customer or employee data can severely affect individuals involved, as well as jeopardize the company. It is essential that employees can quickly find where to report a security incident. Do not rely upon a user to remember which internal site to search for the contact information; be sure it is in an intuitive location. Perhaps replace the password written on the sticky note with the information required to report an incident!

2. Teach Effective Password Management

Passwords can make or break a company's cyber security system. Include guidelines on password requirements. NIST Special Publication 800-63 Revision 3 contains significant changes to suggested password guidelines. Emphasize to employees that they must not use the same passwords on different sites. Walk the talk. If employees are expected to remember multiple passwords, supply the tools required to make it less painful. A password manager is of significant value. Multi-factor authentication decreases the impact of a compromised password; even if it is the master password for the password manager.

3. Teach Employees How to Identify Phishing and Other Scams

Educate employees about various kinds of phishing emails and scams, and how to spot something fishy. If employees receive an email that looks out of the ordinary, even if it looks like an internal email sent by another employee, they must check with the sender first before opening attachments or clicking on links. It is best to verify with the sender via phone or in person. When email accounts are hijacked it will be the attacker replying to an inquiry about the validity of the information contained in the email. Whenever possible, go to the company website instead of clicking on a link in an email. For example, if an email from LinkedIn has a link in it, type in www.linkedin.com and log into your account to view the message.

4. Apply Updates and Patches

Modern operating systems, anti-malware programs, web browsers, and other applications regularly update themselves, but not all programs do. When employees install unapproved software, the IT department may be unaware of unpatched vulnerable applications on their assets. Verifying that operating systems and applications are at current patch and version levels is the responsibility of the IT department. A failure to ensure the status of the endpoints and servers falls in the realm of the unintentional insider threats posed by system misconfiguration, etc. Regular vulnerability scanning, and system auditing must be performed.

5. Protect PII

Attackers are often after confidential data, such as credit card data, customer names, email addresses, and social security numbers. When sending this information outside of the organization, it is important that employees understand they cannot just send the information through email. A secure file transfer system must be used that encrypts the information and only allows the authorized recipient to access it.

6. Lock Computers and Devices

When employees leave their desks, they must lock their screens or log out to prevent any unauthorized access. Employees are responsible for locking their computers; however, the IT department should configure inactivity timeouts as a failsafe. Laptops must also be physically locked when not in use.

7. Secure Portable Media

Lost or stolen mobile phones pose a significant threat to the owner and their contacts. The use of screen locks for these devices is essential. Storage, such as external MicroSD cards and hard drives in laptops must be encrypted. When bringing in portable media such as USB drives and DVDs, it is important to scan these devices for malware before accessing resources such as work computers, and the network.

8. Report Lost or Stolen Devices

Advise employees that stolen devices can be an entry point for attackers to gain access to confidential data and that employees must immediately report lost or stolen devices. Often the IT department can remotely wipe devices, so early discovery can make all the difference.

9. Take an Active Role

Explain that employees must use common sense and take an active role in security. If they see suspicious activity, they must report it to their IT administrator. If employees become aware of an error, even after it has happened, reporting it to IT means actions can still be taken to mitigate damage. Cyber security is a matter that concerns everyone in the company, and each employee needs to take an active role in contributing to the company's security. If an employee fears losing their job for reporting an error, they are unlikely to do so. Make sure that employees can be comfortable reporting incidents.

10. Apply Privacy Settings

Inform employees that it is highly recommended to apply maximum privacy settings on their social media accounts such as Facebook, and Twitter. Ask them to make sure that only their contacts can see their personal information such as birth date, location, etc. Limiting the amount of personal information that is available online will reduce the effectiveness of spearphishing attacks. Be especially vigilant about noticing anything even slightly suspicious coming from a LinkedIn contact. A compromised LinkedIn contact’s account can allow for some of the most sophisticated social engineering attacks.

New hire orientation should include cyber security policy documentation and instruction. Provide regular cyber security training to ensure that employees understand and remember security policies. A fun way to make sure that employees understand the policy is to have a quiz that will test their actions in example situations.

In addition to informing and training employees, companies need to ensure that a system is in place for monitoring and managing computers & devices, that anti-malware multiscanning is used to ensure safety of servers, email attachments, web traffic and portable media, and that employees can transfer confidential files securely. Read more about further measures that companies can take to avoid data breaches.

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.