8 Essential Policies & Procedures for Improved Cyber Security
Are you doing enough to prevent a cyberattack? Implementing cyber security measures may seem like a daunting process, but the quick things are actually the most important. You don’t need cyber security procedures to rival the pentagon – just a few simple techniques will have a significant impact on protecting your business from cyber-attacks.
A cyber-attack, explained simply, is someone wrongfully gaining access to your systems or devices. A lot of different things can happen from here, such as extortion (i.e. pay me x dollars or all your data will be deleted), data breach (exposing sensitive data such as credit cards or personal information) or even straight theft of funds (you’ve transferred funds to a fraudulent account).
Putting in place some simple cyber security policies & procedures will help defend against the above situations. We’ve put together eight of the essential ones, which are frequently being recommended by government agencies, top cyber security firms and leading cyber insurers to businesses of any size.
1. Callback Procedures
This is by far one of the best things you can do to prevent cybercrime.
We’ve all seen them – an email asking you to pay an invoice or change bank details from an apparent client or trusted individual. These schemes (phishing) are getting much better all the time, so it’s important to put procedures in place to mitigate against these losses, even when it’s near impossible to identify the fraudulent emails from the legitimate ones.
A call-back procedure is when you verify requests to pay an invoice for the first time or alter bank details by calling a trusted person at that company.
Step 1
You have received an email/call to pay a new invoice or set-up/update payment information. This includes setting up a new supplier/vendor/other or making any changes to their payment details.
Step 2
Verify the request before taking any action by calling a trusted representative of the company directly to confirm that the request or the payment information is accurate and came from them.
Step 3
DO NOT do this by responding to the request email itself or contacting a number included in the request email. The request email may be coming from fraudsters pretending to be from the familiar company/person or that company/person’s email address may be compromised.
Step 4
It is recommended that you have a register of representatives for suppliers/vendors/others for you to contact and verify any of these changes.
Many cyber insurance policies now require you to have call-back procedures in place before you can purchase the Social Engineering section of the policy, so this really is a must-have.
2. Multi-Factor Authentication for Devices and Applications
This is another must-have and was referenced by the Australian government as one of the best things you can do to protect your company (and person) from a cyber security breach.
It is simple to get started and most systems have this functionality already – you’re probably already doing it for a lot of them. The standard way of doing this is by making it so you need both a password and SMS code to login to an account or system.
This can be facilitated through each application with the help of your IT provider. See this article from the Australian Government for tips on implementing multi-factor authentication procedures:
Australian Government – Implementing Multi-Factor Authentication
3. Automatic Updates and Patching
If you set up your applications/accounts right, this is a “set & forget” way of keeping your security controls up to date.
Software updates are more than the glamorous changes to the operating system on your phone – software companies (Microsoft, Apple) use “automatic updates” as bug fixes and security patching to ensure security is up to date and any errors or holes are fixed as soon as possible. By turning on this feature, your devices and applications will automatically update to keep your device/network secure.
This article from the Australian Government outlines the importance of automatic updates and how to turn them on:
Australian Government – Step by Step Guide: Turning on Automatic Updates
4. Daily Backups
This is something that most leading systems will already feature automatically (i.e. outlook, salesforce), but it is recommended that you liaise with your IT team and application service providers to ensure all company data is backed up at least once a day.
If a cyberattack occurs, your data should be able to be recovered easily. Most businesses have back-up procedures in place already, but it is common that these are less frequent, such as weekly back-ups or even monthly. A lot can change during a week or month – the tools are available and not normally cost prohibitive, so why not make sure everything is up to date should the worst occur?
5. Two Factor Payment Authorisation
This is a common risk prevention procedure used to stop fraud/crime but is also relevant for cybercrime. It is another procedure that most insurers require to provide the relevant cover (i.e. crime section of a policy).
Payments made to vendors, either across the board or at a certain dollar amount, should be processed and/or authorised by at least two company representatives (i.e. accounts team & director). This not only prevents one individual from going “rogue”, but also acts as an extra check stop to prevent an accident or miscommunication – often the reason a social engineering loss occurs.
6. Device Security
Device security is one of the more common cyber risk management procedures and most of us will already have these on our personal items, but it is just as important to make sure these are implemented on your business devices.
7. Lost or Stolen Personal Device Procedure
Most of us have lost an electronic device in some capacity, whether it was personal or business related. If it’s a business device, what should you do to protect important company information?
8. Social Media Security Policies
If your business uses social media (LinkedIn, Facebook, Instagram) you should have some kind of policy in place as a security control. A standard social media policy should include:
This article from the Australian Government provides some useful tips for social media security policies:
Australian Government – Security Tips for Social Media
What are some other ways to prevent cyberattacks?
Policies and procedures are only part of the solution. Training staff, leveraging technology and other preventative measures are significant in protecting your company from cyberattacks.
See our recent article for 10 ways to prevent a cyberattack
What happens if a cyberattack occurs anyway?
You can take every possible step in preventing a Cyber Attack and one may still occur. Therefore, it’s important to manage this risk by putting a Cyber Insurance policy in place.
See our recent article explaining what to do following a cyberattack, including tips on creating a 7-step plan:
Looking into a cyber insurance policy?
Here’s an article we’ve written about what a cyber insurance policy does and why you need it:
Have any questions?
Talk to one of our Cyber Experts today!
*The Content is for informational purposes only, you should not construe any such information or other material as financial, or other advice. This information is general and does not take into account your objectives, financial situation or needs. When considering the purchase of an insurance policy, you should consider whether the advice is suitable for you and your personal circumstances. Before you make any decision about whether to acquire a certain product, you should obtain and read the relevant product disclosure statement.
About KBI
We are a specialist insurance brokerage with an emphasis on adding value to our clients by helping them make an informed decision. Our approach combines that of an insurance broker and consultant, where we focus on providing expert advice to our clients while customising their insurance program and risk management solutions.
Since starting in 2013, KBI is constantly growing and becoming a leader in the Australian market. Our primary point of difference is that we don’t try to be all things to all people. We work in niche areas, where we can tailor an offering, advice and broker support to meet the specific area’s needs.
By Tyler Speers
Tyler Speers is an Account Manager at KBI with a focus on Cyber insurance.
