Creating a culture of cybersecurity requires first implementing a clear and straightforward policy on the management of confidential information. There is not, however, one policy that "fits all." A cybersecurity policy must be personalized to comply with any applicable data breach laws, which can vary from state to state and from industry to industry.
Despite necessary variations due to industry and location, there are hallmarks of all effective policies.
TIP: Before drafting your company's cybersecurity policy or reviewing an existing policy for effectiveness, form a team that includes individuals who work in different departments of the company and can help identify what confidential data you have, where and how it is stored, who has access to it, and the sufficiency of current methods used to protect it.
First, cybersecurity policies need to be the product of a team approach, with involvement from company executives, managers from all business units, IT professionals, and HR leaders. Second, a good policy results from asking these types of questions:
- what confidential data do you have;
- where is that data stored;
- who has access to the data;
- what are the BYOD rules for employee-owned PC's, smartphones, and tablets;
- how do employees maintain a division between business and personal information stored on computers and mobile devices;
- what are the rules relating to use of passwords on computers and mobile devices;
- what type of restrictions are there on the removal of confidential information from the workplace;
- what are acceptable methods of remotely connecting to the company's internal network;
- when and how are employees to use encryption;
- what are the rules relating to employee use of social media;
- what happens to confidential data when the employee's employment ends;
- when and how is data to be destroyed by the company; and
- what are the specifics of the detailed plan allowing for prompt response in the event of a data breach.
Overall, the goal should be crafting a policy that helps the company collect only that confidential information which is necessary to conduct business, keep only what must be kept, implement practical and realistic safeguards, train employees aggressively on how to handle confidential information and eliminate what is not needed, and continually re-examine and update compliance efforts.