Cybersecurity is an Important Issue for All Businesses, Large and Small
Especially businesses in the communications sector. Not only do you have customers and business partners to consider in your security efforts but inherently the telecommunications industry is connected in one way or another to the world’s vast communications networks making you a target for bad actors. Cybersecurity should be a concern for each and every employee in an organization, not only CO technicians, IT professionals and managers but those in the trenches (sometimes quite literally) doing everyday tasks.
One effective way to educate employees on the importance of security is a cybersecurity policy that explains each person’s responsibilities for protecting IT systems, company, and customer data as well as (potentially) their very jobs. A cybersecurity policy sets the standards of behavior for activities such as the encryption of email attachments and restrictions on the use of social media among other things.
Cybersecurity policies are important because cyberattacks and data breaches are potentially costly. At the same time, employees are often the weak links in an organization’s security. Employees share passwords, click on malicious URLs and attachments, use unapproved cloud applications, and neglect to encrypt sensitive files. A recent significant report on data exfiltration, found that people inside the organizations caused 43% of data loss, one-half of which was accidental. Improved cybersecurity policies can help employees and their leadership better understand how to maintain the security of data, applications, and operations.
These types of policies are especially critical in organizations that operate in heavily regulated industries such as telecommunications, healthcare, finance, or insurance. These organizations run the risk of large penalties if their security procedures are deemed inadequate.
Even small telecom companies are subject to federal rules and requirements and are expected to meet minimum standards of cyber security and could be prosecuted for a cyberattack that results in loss of consumer data if the organization is deemed negligent. Some states, such as California and New York, have instituted information security requirements for organizations conducting business in their states.
Cybersecurity policies are also critical to the public image and credibility of an organization. Customers, partners, shareholders, and prospective employees want evidence that the organization can protect its sensitive data. Without a cybersecurity policy, an organization may not be able to provide such evidence.
Defining a Cybersecurity Policy
Typically, the first part of a cybersecurity policy describes the general security expectations, roles, and responsibilities in the organization. Stakeholders include outside consultants, IT staff, financial staff, etc. This is the “roles and responsibilities” or “information responsibility and accountability” section of the policy.
The policy may then include sections for various areas of cybersecurity, such as requirements for antivirus software or the use of cloud applications. The policy should include a remote access policy, a wireless communication policy, password protection policy, email policy, and digital signature policy.
For large telecom organizations a cybersecurity policy is often dozens of pages long. For smaller telecom providers, a security policy might be only a few pages and cover basic safety practices. Such practices might include:
- Rules for using email encryption.
- Steps for accessing work applications remotely.
- Guidelines for creating and safeguarding passwords
- Rules on use of social media
Regardless of the length of the policy, it should prioritize the areas of primary importance to the organization. That might include security for the most sensitive or regulated data, or security to address the causes of prior data breaches. A risk analysis can highlight areas to prioritize in the policy.
The policy should also be fairly simple and easy to read. Include technical information in referenced documents, especially if that information requires frequent updating. For instance, the policy might specify that employees should encrypt all personal identifiable information (PII). However, the policy does not need to spell out the specific encryption software to use or the steps for encrypting the data.
Who Should Write the Cybersecurity Policies?
The IT department or your IT professional on staff (for the smaller organizations) and senior management is primarily responsible for all information security policies. However, board members and outside consultants (including your insurance broker) usually contribute to the policy, depending on their expertise and roles within the organization. Below are the key stakeholders who are likely to participate in policy creation and their roles:
- Senior executives define the key business needs for security, as well as the resources available to support a cybersecurity policy. Writing a policy that cannot be implemented due to inadequate resources is a waste of time.
- The legal department (or company attorney) ensures that the policy meets legal requirements and complies with government regulations.
- The HR department is responsible for explaining and enforcing employee policies. HR personnel ensure that employees have read the policy and discipline those who violate it.
- The accounting and/or procurement departments are responsible for vetting cloud services vendors, managing cloud services contracts, and vetting other relevant service providers. These personnel may verify that a cloud provider’s security meets your organization’s cybersecurity policies and verifies the effectiveness of other outsourced relevant services.
- Board members of companies, cooperatives and associations review and approve policies as part of their responsibilities. They may be more or less involved in policy creation depending on the needs of your organization.
Updating and Auditing Cybersecurity Procedures
Technology is continuously changing. Update cybersecurity procedures regularly—ideally once a year. Establish an annual review and update process and involve key the aforementioned personnel that contributed to the original policy.
When reviewing your cybersecurity policy, compare the policy’s guidelines with the actual practices of your organization. A policy audit or review can pinpoint rules that no longer address current work processes. An audit can also help identify where better enforcement of the cybersecurity policy is needed.
It is suggested that you consider the following three policy audit goals:
- Compare your organization’s cybersecurity policy to actual practices.
- Determine your organization’s exposure to internal threats.
- Evaluate the risk of external security threats.
An updated cybersecurity policy is a key security resource. Without one, end users can make mistakes and cause data breaches. A careless approach can cost your organization substantially in fines, legal fees, settlements, loss of public trust, and brand degradation. Creating and maintaining a policy can help prevent these adverse outcomes.
One interesting point to keep in mind as you consider this subject is that of cybersecurity insurance. You will need a solid cyber insurance broker/partner that will support your cybersecurity program and provide high quality coverage that will play a key role in any recovery that might be necessary. Remember, it is commonplace now for top tier insurance carriers to insist on professional risk assessments and having a written cybersecurity control policy in place before they will even consider you for coverage.
The loss prevention information and advice presented in this document is intended only to advise our clients, customers and business partners of a variety of methods and strategies based on generally accepted safe practices, for controlling potentially loss producing situations commonly occurring in business premises and/or operations. They are not intended to warrant that all potential hazards or conditions have been evaluated or can be controlled. They are not intended as an offer to provide insurance coverage for such conditions or exposures, or to imply that UNITEL Insurance or UNICO Group will provide such coverage. The liability of UNITEL Insurance or UNICO Group is limited to the specific terms, limits and conditions of the insurance policies issued, if any.