Newsletter & Blog

How Important Are Cyber Security Policies

Top of this list is People, and I’ve written extensively about how important cyber awareness training is for all, managers and employees alike.  This piece is all about policies and processes.  First and foremost, policies have to be relevant to the organisation and not just downloaded from the internet, maybe with a few modifications, before applying a tick in the box and moving on.  Policies have to mean something and have a purpose.  Many organisations I go to either have some very scant policies or actually, none at all.


I often talk about risk in terms of cyber security and how managing that risk is extremely important.  And that means understanding what those risks actually are, and then taking steps to mitigate them.  When I talk about this, I can often see the wheels turning and the audience thinking technology and how much is that going to cost them.  Well, it’s very often the case that technology is not the answer.  There are many risks where a good policy, promulgated to all and understood by all, can save the company money.


A good example of that is a fairly common scam that tends to costs SMEs between 5 and 50K depending upon the size of business.  How this is achieved is that the scammer, or lets call him/her what he/she is, the criminal, spends some time profiling the company, using various social engineering techniques to work out how the company is organised and who is who.  You may be surprised as to how much of that information is freely available on the company website, companies house and other sources. Having discovered who the boss is, and who looks after invoice payments, the criminal then ‘spoofs’ the bosses email.  Email spoofing, in simple terms, is sending an email purporting to come from someone else.  So it arrives in an in box from the boss, but actually it’s from the scammer.  Such an email is sent to the person who pays invoices, with an invoice attached, saying please pay this as a matter of urgency.  This happened recently to someone I know, and when it arrived in the accounts department it didn’t look cosher to the payments clerk, who replied to the email asking if the boss was sure.  Of course, she got an email back saying yes, I’m sure.  She paid it and the company lost over 30K.  The accounts clerk was clearly switched on but she made a basic error, because she didn’t know any different.  If she had sent a fresh email to the boss querying the invoice, it would have gone to the boss who could have stopped the transaction.  Instead, she replied to the email and her reply went back to the scammer.  A policy which dictates fresh emails rather than using the reply function, and known to all, would have saved the company a lot of money.


Policies and attendant processes are essential for the protection of company data and the bottom line, company money.  What needs to be covered and in what depth, depends on the risks that the company is facing, but for many to answer is very similar to the next company.  In broad terms, and as an absolute minimum, the following are required:


  • Overarching IT security policy – often this only needs to say very clearly what responsibilities employees have in regard to security and data protection, lay down a requirement and responsibility for cyber awareness training, and state that all employees are to be cognisant of all the policies and are to sign that they have read and understood them. And most importantly, it must be signed off at board level making it clear that this is a crucial requirement.
  • IT Acceptable Use Policy – what is, and what is not, an acceptable use for company IT.
  • IT Email Policy
  • IT password policy
  • IT Mobile working policy – essential for mobile workers who may be tempted to work from a coffee shop, and of course, working from home. This latter might be a separate policy or can be part of the mobile working policy.
  • Data Protection Policies – a whole other subject.
  • Social media policy – this can be really important. Probably 100% of your employees will have a social media presence and will use it daily. How important is it that they don’t associate themselves with the company on their private social media?  Depends on the person but it could be damaging in reputational terms.  The company might also do some digital marketing on social media.  Who is, and who is not, allowed to get involved with that function.


These polices are not necessarily exhaustive.  It depends very much on the risk assessment and the risks that needs mitigating.  They will also be accompanied by processes to support the policy.

I wouldn't want people to go away thinking technology isn't important, it most certainly is, just that on its own, it won't give you the protection you think it does.