Information Security policies are vital for protecting your company data from unauthorised access, destructive malware, and of course, your own employees. Not that a huge number of organisations are struggling with malicious insider threats, but user error is the biggest cause of data loss in SaaS environments, as well as being the key factor that will make or break a Phishing attack. With how fast online threats are advancing now, it just isn't constructive to trust that all employees can properly protect company data without clear policies in place to guide them.

These policies can differ significantly for various sectors depending on the level of risk associated with the data they store, but this list will cover the basics that every company - big or small - should be putting into place.

 

Access Control

Managing access control is the most important step towards preventing - you guessed it - unauthorised access. This may seem obvious, but many organisations focus all their security on preventing external access, without considering the risks of insider threats, user error, and generally increasing the chances of a hack through poor management. For example, if a non-executive employee does not require access to a highly confidential folder, it's not just a question of whether you trust that individual to resist the urge to take a look themselves; it's a matter of leaving yourself with unnecessary extra accounts to monitor for hackers and other suspicious activity.

Also falling into this category is Remote Access - remote working is great for introducing flexibility for employees to help with productivity and collaboration, but it leaves businesses vulnerable to a host of new security concerns. Without the protection of the workplace's network security, remote users need to be given clear policies on how they can work safely out of the office, including topics such as using public Wi-Fi, and what data can or cannot be accessed in the view of others.

 

White PaperWhite Paper: Secure Remote Access with CloudGen Firewall

 

Two-Factor Authentication

Account compromise can be detrimental to businesses of all sizes, allowing the successful hackers to access important data and take money through impersonation tactics like CEO Fraud or through Ransomware. For account log-ins, many services already have an option to turn on two-factor authentication using One Time Passwords, which are often delivered through SMS - alternatively, companies can look into using physical security keys or biometric methods more more confidential data and accounts.

Another effective technique - especially for the likes of large financial transactions - is the two-man rule, which requires the physical presence of two authorised employees for certain decisions to be made.

 

Removable Devices

Policies for removable devices should go both ways - they can easily be lost or stolen along with the important data stored within, or criminals can plant malware onto devices in the hopes that an unwitting employee will plug it in. Last year we saw Heathrow Airport facing fines upwards of £100,000 after losing a USB stick containing over 1,000 files, with their main mistake being the fact that they didn't use any encryption to protect it. Policies should also monitor the USBs in use within the company, with clear indications of which equipment has been scanned and approved by the IT team - this should prevent employees uploading malware into the network by accidentally plugging in an unknown device.

 

Frequent Backups

Backing up data may not prevent hackers from accessing your data in the first place, but it sets the foundation for a response & recovery plan in the event of a worst case scenario. Backups are especially great for diminishing the threat of ransomware because the chances of attackers being able to access and encrypt data both in your network and your backup storage are extremely minimal.

For the most security, organisations should use cloud storage or off-site data centres - this is because physical on-site copies could still be damaged along with company devices in the event of theft or a natural disaster, potentially losing all important data.

White PaperWhite Paper: Unlimited Cloud Storage with Cloud-to-Cloud Backup

 

Still feel your company's information security is weak, despite implementing these policies? Talk to our team today for more personalised advice, as well as free trials on our security products & solutions.