How to Build a Cybersecurity Policy

Topics: Cyber Liability

There have been a rash of well-known cyberattacks in the last year, including British Airways, Marriot Starwood and CitrixCybercrime Magazine states that cyberattacks are the fasting growing crime in the U.S. with an estimated worldwide cost of $6 trillion annually by 2021. As cyber criminals get more resourceful it is crucial for a company to have a cybersecurity policy in place to be prepared for the impact of a cyberattack.

By proactively protecting systems, technology and databases with a cybersecurity policy, a company will send a strong signal that their internal data, as well as their customer, contractor and vendor information, are safe. The basics of building an effective cybersecurity policy:
  • Generally, a security policy has to achieve or support an organizational objective and the data protection stratagy
  • An effective security policy has to be clear and accessible to the entire organization
  • A policy has to be supported with a reason or reasons why it is necessary
  • If no reasons are supplied the policy will probably not be well adopted or enforced by the organization
Ian Thornton-Trump, head of cybersecurity at AmTrust International describes the importance of having executive support in building the policy. “Where I see a lot of failure in organizations is in clearly determining ownership of the policy for updates and changes – I think this is best achieved by an executive leader with all interested parties at a table for annual review and amendments. Some policies may need to change to align to new risks, changes in the regulatory landscape or as a result of customer-driven requirements. Someone has to own this process as many policies need to be living documents.”

Critical to creating an effective cybersecurity policy is facilitated by asking the questions around how the policy will be enforced and the process for addressing policy violations. These questions are answered by explaining the reasons behind the policy by putting them through the “5W’s and 1H” problem-solving process.

5W's and 1H to Build an Effective Cybersecurity Policy

Use “5W’s and 1H” Questions to Assist in Building an Effective Security Policy

The “5W’s and 1H” are questions whose answers are considered basic information in gathering or problem-solving. They are often mentioned in journalism, research and police investigations. They constitute a formula for getting the complete story on a subject. The 5W’s are Who, What, Where, When and Why. The H is for How.

Who is the audience for the cybersecurity policy?

The policy would apply to all employees, contractors, volunteers and anyone who has access to the company’s systems.

What does the cybersecurity policy encompass?

The cybersecurity policy would cover all organization-owned workstations, portable devices, network connections and third-party hosted services.

Where is the company cybersecurity policy in effect?

The cybersecurity policy is applicable to the internal network, external internet connections, VPN connections and third-party services. It needs to be followed in and out of the office or business.

When is the policy applicable and when will it be reviewed?

The policy should have an effective and review date. As the policy is reviewed and updated, a new date can be added.

Why is your company cybersecurity policy important?

A documented cybersecurity policy would provide the organization guidelines for securing the company’s data and infrastructure. Everyone in an organization from management to employees must understand and comply with the policy. Thornton-Trump goes further by saying, “One other part of ‘Why’ should be the consequences and risks associated with policy violation, but with an emphasis on realistic consequences such as what happens if we inadvertently expose customer data.”

A cybersecurity policy can include a variety of elements that are particular to your small business, including:
  • Information on how to protect confidential company data, such as financial information, customer data or internal technologies
  • Instructions for the secure use of personal and company devices
  • Directions for detecting malicious or scam emails or virus infections
  • Management of device and system passwords
  • Guidance for the secure transfer of company or client data
  • Procedures for remote workers
Companies can refer to network and security frameworks that are currently in place for governance. There are many security models that can provide benchmarks to measure the organization’s security posture and if properly audited, support the organization’s compliance requirements.

How Can You Implement a Cybersecurity Policy for a Small Business?

In order to explain how to implement the cybersecurity policy for your small business, experts recommend putting the process and instructions into a Standard Operating Procedure (SOP). The SOP will define the individual steps to implement the cybersecurity policy to ensure that the organization is and stays compliant. Well-constructed SOP’s will have checklists and automated procedures that the operations team can follow.

The SOP will detail roles, responsibilities, communication and contact strategies in the event of a policy violation as well as specific incident response and business recovery procedures. The SOP should also document exceptions due to system limitations or extraordinary circumstances. Also, whenever a policy is updated, the SOP should be reviewed to insure they are aligned.

By separating the policy from the standard operating procedures this method seperates the responsbilites of governance (policy) from the responsibilities of operations (implementation of controls, procedures and process. Good and effective governance begins with clear policies and ends with detailed standard operating procedures.

Cyber Liability Insurance Provides Additional Security

A cyber liability insurance policy from AmTrust provides additional security to safeguard your company against loss and damage due to a cyberattack. Contact an AmTrust agent today to find out how you can benefit from a cyber liability policy, and how to protect your organization from cybersecurity attacks and other data breach threats.

This material is for informational purposes only and is not legal or business advice. Neither AmTrust Financial Services, Inc. nor any of its subsidiaries or affiliates represents or warrants that the information contained herein is appropriate or suitable for any specific business or legal purpose. Readers seeking resolution of specific questions should consult their business and/or legal advisors. Coverages may vary by location. Contact your local RSM for more information.

Time Zones