In our latest Chamber Digital forum, we discussed the theme of ICT policies for business and getting the right policies in place. We welcomed a very informative update from Adrian Parker of M&M information Technologies and a reminder of the importance for a business to have adequate ICT policies in place. ICT policies establish clear guidelines and expectations for the use of technology resources, essential for mitigating risk and ensuring security.
Without well-defined policies, a business becomes more vulnerable to cyberattacks, data breaches, and internal security incidents. Human error is a significant cause of cybersecurity breaches. The establishment of clear policies, along with employee training, can help to reduce these risks. Having the right policies in place will also offer confidence to the suppliers and customers of a business.
What are the risks of not having IT policies in place? These include an increased vulnerability to cyberattacks, data breaches, regulatory non-compliance and a potential for internal security breaches, due to lack of policies on user access control and data protection.
All businesses should have clear policies and guidance on business continuity, following events such as a fire or flood. Lack of guidance could impact on the company’s very existence. Other risks include legal and financial repercussions due to non-compliance.
Our Digital forum discussed a number of IT policies that a business should consider:
A password security policy will provide guidance on the way employees manage login passwords, including requirements for password length/complexity, storage and management. This would also include frequency of password changes. An estimated 80% of all cloud data breaches result from compromised passwords.
Acceptable Use Policy (AUP) / Staff Computer Use Policy governs the proper and responsible use of technology and data within an organisation. This will cover matters such as device security (keeping devices updated), acceptable locations for using company devices, and restrictions on sharing work devices. It should also address whether it’s acceptable to use company IT assets for personal activity.
Information Security Policy / Data Protection Policy will outline procedures to protect sensitive data from unauthorised access, breaches and other security threats. It will also provide guidance on how data is securely stored, accessed, and shared. This is essential, considering the increasing number of data breaches.
Privacy Policy / Data Protection and Privacy Policy will establish clearguidelines for collecting, storing, and processing personal information in compliance with data protection regulations such as GDPR.
Anti-Malware Policy outlines measures to detect, prevent, and mitigate malware threats through regular updates and scanning protocols.
Network Access Policy explains the procedures around device passwords, firewalls, networked hardware, and wireless network usage, as well as how to ensure security when connecting mobile devices.
Wi-Fi Use Policy should provide guidelines for maintaining secure connections when using Wi-Fi, potentially requiring the use of a company VPN, and restrict certain activities on public Wi-Fi, such as entering passwords or payment card details.
Email Policy outlinesusage guidelines for the company email system, to reduce the risk of email-related security incidents.
Social Media Use Policy should address social media usage by staff, helping to prevent excessive use during work hours and provide guidance on how employees should post, in order to prevent damage to a company’s reputation.
Bring Your Own Device (BYOD) Policy will clarify the terms of use and security arrangements for when staff are allowed to use their own personal smartphones or other devices in the workplace.
Cloud and App Use Policy will address the risks of unauthorised Cloud applications (“shadow IT”) and this policy should outline approved Cloud and mobile apps for handling business data. e.g. Are staff using their personal Dropbox account to share info?
Software and Hardware Management Policy / IT Asset Management Policies / IT Software Management Policies will address the procurement and installation of software and hardware, regular updates and patch management, asset tracking and inventory management, disposal of old hardware, and software licensing compliance.
Data Breach Response Policy / Security Incident Response Plan / Incident Response Procedures will outline the steps to be taken in the event of a data breach or security incident, including identifying and containing the breach, assessing its scope, notifying affected parties, implementing preventative measures, and conducting a post-breach analysis. A UK government report highlighted that a significant number of large companies lacked a cyber incident response plan.
Remote Work Policy will address eligibility, expectations for availability and communication, guidelines for a secure home office, reimbursement procedures, and security of company data and devices on remote networks.
Physical Security Policy defines how physical IT devices are handled and transported to guard against damage and theft.
Employee Training and Awareness Policy / Security and Privacy User Responsibilities will detail the frequency and format of security awareness training, the topics to be covered (like phishing awareness and secure browsing), procedures for reporting security incidents, the consequences of non-compliance, and aims to encourage a culture of security awareness. Human error is a major cause of breaches, highlighting the importance of training.
Access Control Policy outlines how access to systems, networks, and data is granted, managed, and monitored, ensuring only authorised personnel can access sensitive resources.
Backup and Disaster Recovery Procedures provides a step-by-step plan for protecting a company’s data and ensuring business continuity in the event of a system error or disaster.
Artificial intelligence or AI is a hot topic of discussion. More and more employees are embracing the use of AI, in platforms such as Chat GPT or Copilot. Any data which is entered into public / free AI tools such as Google Gemini, ChatGPT is stored and used to train the AI models. This could lead to your (or your customers’) data being ‘leaked’. All businesses should therefore think about the importance of an AI policy.
Cyber Essentials is the minimum baseline cyber security standard for organisations in the UK. This is a government backed standard and preparing for the assessment is an affordable and accessible way for businesses of all sizes to implement the technical controls needed to protect themselves against the most common cyber threats.
Chamber members can obtain the Cyber Essentials certification with support from Chamber Cyber Essentials, in partnership with IASME. Staffordshire Chambers’ of Commerce has a number of members who can offer support and assistance in guiding a business through the process and if you would like to learn more, please send me an e-mail:
declan.riddell@staffordshirechambers.co.uk
