Why Small Organisations Should have Security Policies?
For a majority of small organisations, security policies will make a big difference when something goes wrong. Security policies can not only set the intentions for strategic thinking but all expected behaviour, how to handle certain incidents, etc. In some respects they may end up being as much for all other stakeholder groups for the organisation, including, employees, directors, customers, regulators, investors, etc. So, it is not only important to have them, but to ensure that you have good coverage for your Organisation.
This is edited content from Sarb Sembhi and co-host Nick Ioannou. Also in video and podcast media.
- Introduction to security policies for Small Organisations
- Why have security policies in a Small Organisation?
- Security policy suggestions
- Security policies provide staff guidance
- Management and human resources clarification
- Security policies help Revenue Growth and can assure larger customers
- Having pre-prepared security policies saves time
- Government purchasers also want to see security policies
- Security policies may help discussions with regulators after a breach
- Security policies must be reviewed
- What other documents should Small Organisations have?
- Conclusion of Policies for Small Organisations
Today we are looking at why Small Organisations should have security policies. We often get asked, "do we need to have security policies as a Small Organisation?" Or, "what's the point of them?" Or, "we're not a big enough organisation." Or, "what difference would it make to anyone, if we had policies?"
There are many benefits for Small Organisations to have security policies, including:
- Providing guidance for employees
- Clarify issues for human resources
- Attract large enterprise customers
- Saving time for when policies are requested by customers, funders, or partners, etc.
- Help with clarifying the importance of security to regulators if the organisations are investigated.
But before going into the benefits, let’s take a quick look at some of the policies we are suggesting and why they are useful.
"Having policies for employees ... provides guidance on how the organisation views security."
We will explore security policies in more detail another time, but the most important security policies all Small Organisations should have include, an Email Policy, an Internet Use Policy and a Data Protection Policy. Because staff data is a big part of the information that Organisations hold a lot of, when it comes to highly detailed personal information, including medical information, tax, addresses, contact numbers, next of kin; basically, it's all there.
On top of those three, there needs to be an overall Security Policy, which covers all the things that are necessary from any user perspective, like passwords, social media, email, what they can and cannot do, etc. Then finally, depending on the sector the Organisation is in, there may be a need for policies around employee responsibilities related to data protection, or even one that relate to some of the standards that will be used to ensure security, for example. encryption, etc.
Having policies for employees sets out what they can do and provides guidance on how the organisation views security. It may be the first thing employees get when they join, and have explained to them. A lot of Small Organisations grow organically and there'll be a lot of staff especially at the early stages when these policies didn't exist. In those stages staff may do what they want, but as the Organisation grows it will need to put some controls in place to meet employee and customer expectations and legal obligations.
An easy starting place is an email policy - what is and what isn't acceptable? Whether staff are permitted to access personal emails, and what type of web browsing they are allowed is all set out clearly in a policy. It shouldn't be in lawyers speak and it shouldn’t be long and drawn-out; short and to the point is best in most cases. Where it ends up being longer, it will be important to break things down into logical layers of subheadings.
When it's something written down that can be given to employees, it is easier to point them in the right direction and say: "This is how we all work consistently", because policies are about management of the systems, management of the email, management of cyber security, etc.
Where a Organisation has been clear in informing its staff what they are or are not allowed to do through a clear policy document, this should mean that managers are not having to check on employees as often or worrying about what they may or may not be getting up to – since it’s all obvious.
Related to policies are the other document type protection controls organisations need to have in place – the signed acceptance of receiving and understanding the policy. For example, if there is a policy which states what your employees can and cannot do, but something goes wrong and leads to a dismissal, the signed acceptance will protect both the employee and the organisation appropriately. So, for example, where a policy staff sign up to clearly states what the major violations of the policy are and considered as dismissible actions, both the policy and the staff acceptance of that policy clarifies the situation for both parties as well as regulates how the Organisation views those actions.
In the worst-case scenario, the Organisation has authority and clarification that wouldn't be there without the necessarily policy wording and staff hadn't signed up to it.
Without it, there's a possibility that the Organisation may not be able to take action, or that it may end up getting sued for any action taken against an employee.
The right security policies with the right action to back them up, can act as a form of protection in some respects, as everyone understands what behaviours are expected of them. The important thing is that it also works other way too, where if an employee has done something and it's resulted in an infection, if they were permitted to do it and are continued to be allowed to do it, they can't be disciplined or sacked for it later. The policy protects staff rights too, so policies are a good thing, especially for Small Organisations.
In future episodes, we'll look at a couple of policies in detail, what needs to be included and how to decide what should be in them, and some key points Organisations might have in a particular policy for some business sectors and environments but not others.
Policies can help expand Organisations to grow and sell into larger customers. Every large Organisation started out as a Small Organisation which grew, often by selling to customers that were probably much bigger than it was and placed large orders.
Where security policies fit into this is that enterprises in the current climate of data breaches will often expect their suppliers to be secure, or at least have some basic security policies in place before they sign up as a customer. The reason being that we have seen many incidents where the large company was fairly secure and the only way that attackers got in was through one of its suppliers. So, larger enterprises do not want to make themselves vulnerable by working with Smaller Organisations just because a Small Organisation has allowed the wrong people to access data, or to have allowed staff to do things with data that they shouldn't have allowed - purely because it doesn't have any policies and doesn't understand what it could and should be doing and what its employees could and should be doing.
Large Organisations regardless of how good their security is, may insist that their registered suppliers have more than adequate security policies in place, either from a data protection perspective, or from a critical supplier perspective.
It's amazing how many policies we have had to write because we had been asked by a client. "Oh, we haven't got that policy, well, we'd better write it then." In many respects, the more revenue a Small Organisation hopes to do with larger enterprises, the better it is to have most if not all of the policies worked out in advance. So, if a prospective customer asks for a particular policy, there’s already something prepared, which may not be perfect but at least it me be possible to tweak it. Plus, already having something (no matter how simple it is) means that the Organisation can keep on updating it every time a new customer wants it to have expanded sections.
Just having something in place makes a big difference, because customers want to know that their supplier already has these things in place for that peace of mind.
"[having policies]...makes it easier for Small Organisations to sell into government."
It can be a bit of a tick-box exercise because in some cases new suppliers can't even get a look-in unless these right policies already exist.
Also, sometimes customers don't just want to see the standard policies we mentioned earlier, they want to see some additional ones. For example, they may want to see a Starters, Movers and Leavers Policy because they want to know that when somebody leaves your Organisation, they're not taking customer data with them. This has another important aspect to it, which is that if a Organisation isn't ensuring that its employees aren’t stealing customer data, there’s no guarantees that an employee won't set up in competition at a later stage using the customer list. So, there are plenty of good reasons for having these policies.
In some Organisations, all these policies are included in the employee handbook, but it is just a set of policies. They may be under a different name, Organisations should check to see what they've got because they may probably already have some of the important policies or the information that needs to go into them, but when asked, it may not always come to mind immediately.
What does happen when someone leaves? What happens to the data? All this needs to be written down somewhere and if it's not, it may need to address before it impacts the Organisation.
The next related benefit is, that it makes it easier for Small Organisations to sell into government. For the last few years, governments have been trying to encourage Smaller Organisations to supply their services. But they can only work with Small Organisations if they are secure. As Organisations in the UK may be aware Cyber Essentials Certification is a part of this effort by the UK Government - we will be covering this in more depth in future episodes. Policies and Cyber Essentials Certification give an illustration that a Small Organisation has some understanding of security and that it’s got the right policies in place.
Also, it makes a public statement to the Government and large enterprises that the Organisation believes in security as do its employees and a clear message that "We are ready to work with you".
Another reason why Small Organisations should have policies is the tick-box exercise mentioned earlier in terms of compliance in large organisations. The right coverage of policies together with a strategy and plan will help in the event that a Organisation is breached and have to explain to a regulator what controls it had in place. It is possible that if all the right things are being done, they help to either avoid a fine, or play a role in getting a reduced fine; it could be the difference between explaining why there are no policies or that there are the right controls in place but that the breach was an unusual and sophisticated attack.
If something goes wrong, having a policy, strategy and plan which is implemented appropriately demonstrates a level of commitment which is difficult to do without them.
Regulators understand that there's no such thing as 100% security. So just by having a policy and commitment to work at it, shows that the Organisation has taken the time to produce the right documents, to show, "we are looking at our security," "we are addressing it," this is where we've got to.
Without this evidence, Small Organisations could be fined constantly, even if it was just based on breaches and not what commitment the organisation had to stop them.
One of the key things about customers and policies is that, not only do our customers want us to have them, but they want them to be reviewed on an annual basis. It doesn't matter how good it is or whether it’s been changed. What matters is that someone with authority has signed and dated it within the last twelve months. So, just having a policy that hasn't been looked at for five years won't help the Organisation. It needs to have a system in place where someone with authority reviews them and this doesn't have to be a big deal.
Having someone in authority glances over them re-signs them and date them each year, demonstrates that the Organisation has taken reviewing the documents seriously, rather than if someone just looked at them.
In most cases it will depend on the organisation, the market it is in, the goal to be achieved by the documentation. Where Small Organisations are creating policies to supply services to the public sector or larger Organisations, it may be useful to have procedures, standards and guideline documents for some relevant topics. These may not be relevant for all Organisations, as the effort and resources required can be considerable. However for some Organisations as they grow, these will ensure consistency in quality, processes and service delivery.
Small Organisations don't have to have any security policies to operate, but by developing those most relevant to their Organisation, policies will communicate to staff, customers, government and regulators how the Organisation views security. This in itself provides many benefits to all, the least of which may be more revenue from larger enterprise customers.
Infographic images are copyright of Virtually Informed, and available to registered users for download during the publication week of the blog article together with other downloadable resources, including: all related infographics on this page, example policy templates, posters, screen savers and much more.
Images from https://www.pixabay.com.