KBI
  /  Cyber Blog   /  8 Essential Policies & Procedures for Improved Cyber Security
8 essential policies & procedures for improved cyber security

8 Essential Policies & Procedures for Improved Cyber Security

Are you doing enough to prevent a cyberattack? Implementing cyber security measures may seem like a daunting process, but the quick things are actually the most important. You don’t need cyber security procedures to rival the pentagon – just a few simple techniques will have a significant impact on protecting your business from cyber-attacks.

A cyber-attack, explained simply, is someone wrongfully gaining access to your systems or devices. A lot of different things can happen from here, such as extortion (i.e. pay me x dollars or all your data will be deleted), data breach (exposing sensitive data such as credit cards or personal information) or even straight theft of funds (you’ve transferred funds to a fraudulent account).

Putting in place some simple cyber security policies & procedures will help defend against the above situations. We’ve put together eight of the essential ones, which are frequently being recommended by government agencies, top cyber security firms and leading cyber insurers to businesses of any size.

8 essential policies & procedures for improved cyber security infographic

1. Callback Procedures

This is by far one of the best things you can do to prevent cybercrime.

We’ve all seen them – an email asking you to pay an invoice or change bank details from an apparent client or trusted individual. These schemes (phishing) are getting much better all the time, so it’s important to put procedures in place to mitigate against these losses, even when it’s near impossible to identify the fraudulent emails from the legitimate ones.

A call-back procedure is when you verify requests to pay an invoice for the first time or alter bank details by calling a trusted person at that company.

1
2
3
4
1
2
3
4
Step 1

You have received an email/call to pay a new invoice or set-up/update payment information. This includes setting up a new supplier/vendor/other or making any changes to their payment details.

Step 2

Verify the request before taking any action by calling a trusted representative of the company directly to confirm that the request or the payment information is accurate and came from them.

Step 3

DO NOT do this by responding to the request email itself or contacting a number included in the request email. The request email may be coming from fraudsters pretending to be from the familiar company/person or that company/person’s email address may be compromised.

Step 4

It is recommended that you have a register of representatives for suppliers/vendors/others for you to contact and verify any of these changes.

Many cyber insurance policies now require you to have call-back procedures in place before you can purchase the Social Engineering section of the policy, so this really is a must-have.

2. Multi-Factor Authentication for Devices and Applications

This is another must-have and was referenced by the Australian government as one of the best things you can do to protect your company (and person) from a cyber security breach.

It is simple to get started and most systems have this functionality already – you’re probably already doing it for a lot of them. The standard way of doing this is by making it so you need both a password and SMS code to login to an account or system.

Combination of passwords and other authentication methods for devices and applications (i.e. SMS codes, keycard, facial/fingerprint recognition).

This can be facilitated through each application with the help of your IT provider. See this article from the Australian Government for tips on implementing multi-factor authentication procedures:

Australian Government – Implementing Multi-Factor Authentication

3. Automatic Updates and Patching

If you set up your applications/accounts right, this is a “set & forget” way of keeping your security controls up to date.

Software updates are more than the glamorous changes to the operating system on your phone – software companies (Microsoft, Apple) use “automatic updates” as bug fixes and security patching to ensure security is up to date and any errors or holes are fixed as soon as possible. By turning on this feature, your devices and applications will automatically update to keep your device/network secure.

This article from the Australian Government outlines the importance of automatic updates and how to turn them on:

Australian Government – Step by Step Guide: Turning on Automatic Updates

4. Daily Backups

This is something that most leading systems will already feature automatically (i.e. outlook, salesforce), but it is recommended that you liaise with your IT team and application service providers to ensure all company data is backed up at least once a day.

If a cyberattack occurs, your data should be able to be recovered easily. Most businesses have back-up procedures in place already, but it is common that these are less frequent, such as weekly back-ups or even monthly. A lot can change during a week or month – the tools are available and not normally cost prohibitive, so why not make sure everything is up to date should the worst occur?

5. Two Factor Payment Authorisation

This is a common risk prevention procedure used to stop fraud/crime but is also relevant for cybercrime. It is another procedure that most insurers require to provide the relevant cover (i.e. crime section of a policy).

Payments made to vendors, either across the board or at a certain dollar amount, should be processed and/or authorised by at least two company representatives (i.e. accounts team & director). This not only prevents one individual from going “rogue”, but also acts as an extra check stop to prevent an accident or miscommunication – often the reason a social engineering loss occurs.

6. Device Security

Device security is one of the more common cyber risk management procedures and most of us will already have these on our personal items, but it is just as important to make sure these are implemented on your business devices.

Monitor privacy settings for frequently used applications (i.e. social media)

Automatic screen lock so a device is not accidentally left open and easily accessible.

Unique passwords that are updated regularly.

Antivirus software that is kept up to date (don’t ignore those update reminders!)

Avoid free wireless networks for business devices or applications. This includes using your personal device for work applications (i.e. email while travelling) because free wireless networks are an easy way for cybercriminals to hack into your systems.

7. Lost or Stolen Personal Device Procedure

Most of us have lost an electronic device in some capacity, whether it was personal or business related. If it’s a business device, what should you do to protect important company information?

Wiping data from a stolen device. Most devices have this function already – if a device is stolen, it is reported and then all data is wiped from the device. This may seem like drastic measures, but if you have backed everything up then you won’t actually lose much – but it prevents someone else from accessing your data.

Ensure the device is backed up so the data is not lost with the device.

Ensure any ‘find my device’ function or the ability to encrypt the device are activated, as these measures can provide additional security in the event of it being lost or stolen. It can also help get the actual device back

8. Social Media Security Policies

If your business uses social media (LinkedIn, Facebook, Instagram) you should have some kind of policy in place as a security control. A standard social media policy should include:

Limited number of authorised users have access to company social media accounts;

System in place to immediately revoke user access if they are no longer at your company;

Outline what can and cannot be posted on company social media accounts;

Outline the process for responding to complaints or inappropriate comments;

Process for regaining control of hijacked company social media accounts, which can be facilitated with the help of your IT provider;

This article from the Australian Government provides some useful tips for social media security policies:

Australian Government – Security Tips for Social Media

What are some other ways to prevent cyberattacks?

Policies and procedures are only part of the solution. Training staff, leveraging technology and other preventative measures are significant in protecting your company from cyberattacks.

See our recent article for 10 ways to prevent a cyberattack

What happens if a cyberattack occurs anyway?

You can take every possible step in preventing a Cyber Attack and one may still occur. Therefore, it’s important to manage this risk by putting a Cyber Insurance policy in place.

See our recent article explaining what to do following a cyberattack, including tips on creating a 7-step plan:

Looking into a cyber insurance policy?

Here’s an article we’ve written about what a cyber insurance policy does and why you need it:

Have any questions?

Talk to one of our Cyber Experts today!

Slide Contact Us

About KBI

We are a specialist insurance brokerage with an emphasis on adding value to our clients by helping them make an informed decision. Our approach combines that of an insurance broker and consultant, where we focus on providing expert advice to our clients while customising their insurance program and risk management solutions.

Since starting in 2013, KBI is constantly growing and becoming a leader in the Australian market. Our primary point of difference is that we don’t try to be all things to all people.  We work in niche areas, where we can tailor an offering, advice and broker support to meet the specific area’s needs.

tyler speers kbi
By Tyler Speers

Tyler Speers is an Account Manager at KBI with a focus on Cyber insurance.

Cyber Newsletter Sign Up

Want to keep up to date with all our latest Cyber Insurance news and information? Enter your email to be added to our mailing list.