Welcome back to the Third Week of Cybersecurity Awareness Month. Last week, we looked at cybersecurity policies, our 2nd Cybersecurity Pillar.
These policies outline general security expectations, roles, and responsibilities. In essence, they are the rules that govern the organization’s security posture.
However, cybersecurity policies are NOT a step-by-step guide.
But what if you could have a cybersecurity cookbook with recipes that guide your staff through security measures? And if such a book existed, would you use it?
Hopefully, the answer is yes.
Because having recipes for a successful cybersecurity posture is a no-brainer.
In the cybersecurity space, these recipes are cybersecurity procedures. And if you have been following along, the answer is yes. Cybersecurity procedures make up our 3rd Pillar for durable data security.
Today, we are going to take a detailed look at cybersecurity procedures. And how these processes help organizations #BeCyberSmart.
But before we get to our must-have procedures, let’s outline what a cybersecurity procedure is.
What is a Cybersecurity Procedure?
In cybersecurity, procedures are step-by-step instructions on how to achieve security measures.
Procedures work together with policies.
If a cybersecurity policy is a high-level document made of general directives, then the procedure is a detailed document that illustrates how to accomplish that policy.
Let’s use a cybersecurity awareness training policy as an example. The policy will NOT tell you how to conduct that training. Instead, it’ll state the basics, like trainings should happen once a quarter.
And that is where the procedure comes into play.
Your cybersecurity procedure may state that your IT department hosts these training sessions. It may also state that these sessions use third-party training modules and videos.
So, as you can see, the cybersecurity procedure gets down to the nitty-gritty in detail.
Before we continue, I want to point out that procedures are living documents. That means they require frequent updates based on changes to technologies and staffing.
Old procedures for outdated technology will not serve you well. And same goes for policies.
Why should an SMB implement Cybersecurity Procedures?
Cybersecurity procedures are your organization’s cybersecurity playbook.
And with an increase in cyberattacks, doing your part is now more critical than ever for SMBs.
On top of that, many SMBs think they are too small to gain the interest of a cybercriminal. As a result, they do not always have written cybersecurity policies and procedures. They instead use a word-of-mouth system.
This mindset MUST change.
Here is the cold, hard truth: cybercriminals do not discriminate when it comes to data.
And because SMBs have less secure networks, they make perfect targets for bad actors.
But luckily, SMBs can have better cybersecurity security by implementing policies and procedures.
To get you started, here is a look at our top procedures for SMBs. But keep in mind, these processes are only the tip of the iceberg.
Five Must-Have Cybersecurity Procedures
Hiring & Terminating Procedures
When it comes to new hires & terminations, HR should follow the same procedures for every person. Of course, what these procedures look like will depend on your organization’s needs and goals. Here are a couple of ideas of hire cybersecurity procedures:
- Run background checks on all employees and temporary employees.
- Require all new employees to sign NDA documents.
- During the training process, the new hire must review security policies with HR.
- IT sets up new employee devices before the start date.
As for terminations, your cybersecurity procedures may include the following:
- Reset terminated employees’ passwords and accounts.
- Collect all company-issued devices from a terminated employee.
- Delete company data from a terminated employee’s personal devices.
- Remind exiting employees about disclosure of private information.
Password management is a critical pillar of keeping your company’s data confidential. In most cases, businesses allow their employees to pick and choose their passwords. And this is fine as long as that staff follows best practices for those passwords.
To keep data safe, you will want a password policy that all employees must follow.
And to pair with that policy, you’ll also want robust password creation and password management processes. Here are a couple of examples:
- Password must be at least 12 characters long.
- Password must use a combination of numbers, symbols, capital letters, and low-case letters.
- Passwords can be a word in a dictionary.
- All passwords are to be stored in the company’s password manager.
When it comes to cybersecurity, we often only think about our online data. But it is also just as essential to make sure your office building is secure. The last thing you want is some stranger stealing your physical devices.
To help protect your facilities, here are a couple of basic measures:
- All entry points to the office building should always be locked.
- To enter the building, all employees must use their RFD badge.
- Any guests must sign in at the front desk before entering the rest of the building.
- No documentation should be left unattended.
- All paperwork must be scanned into a secure location on the Cloud. The original documents are then to be shredded.
Data Breach Response
Data breaches come in all shapes and forms. Sometimes, you may know your systems are under attack, like a ransomware attack. But other times, you might not know until the hacker has bled your accounts dry.
Regardless of how it happens, a data breach will cause panic amongst your staff. Therefore, your organization MUST have a clear outline of what to do in the event of a data breach.
And because cyberattacks come in various forms, you’ll want specific measures for different types of attacks.
For example, let’s say one of your employees receives a phishing email. Here is what your employee’s phishing procedures may look like:
- Don’t click on the phishing link.
- Don’t forward the phishing email
- Contact the IT department about the phishing email.
- Follow the IT department’s instructions on how to handle phishing emails.
Business Continuity Plan (BCP)
A BCP ensures that your business does come to a full stop during a disaster, like a long-term power outage. The goal of our BC plan is to allow you to continue doing business amidst the chaos. In basic terms: when a disaster happens, there is little to no downtime.
Like a data breach response procedure, your organization will want an array of BCP procedures to cover a vast variety of things that may disrupt your business. And remember, disasters can happen without a moment’s notice, so you’ll want to design your procedures to help your organization react fast.
For example, let’s say a critical system, like your phone system is down. You’ll want procedures in place for how to continue to operate during that down. These processes may include the following:
- If the phone system is lost due to outside causes, the providing company must be notified immediately.
- Notify the entire staff via email that the phone system is down.
- Allow staff to make crucial business calls on their cell phones.
But don’t forget, disasters don’t just happen to infrastructure. An illness or an accident could prevent a critical employee from working for an extended period. So, you’ll want plans in place to help guide your organization during that time.
Get on track with your Cybersecurity Procedures
And there you have it, our 3rd Pillar of Cybersecurity: Procedures.
Cybersecurity procedures, like their counter-part policies, cover a wide range of topics.
And for SMBs, the creation of these documents can feel very daunting.
Luckily, you don’t have to forge this path alone. When it comes to cybersecurity relying on security experts is the best option for your SMB.
Our security experts under our NetGarde service are here to help.
We have the capabilities and knowledge to help your organization create a plan, secure your data, and reduce your exposure to threats.
To get started, you can schedule a consultation through our website.