Do you have an effective IT security policy?

Most businesses are aware of possible threats to their IT security from external sources. They understand the need for antivirus software, they know how to treat suspicious emails, and they appreciate the importance of keeping their servers and PCs up to date. However, often little attention is given to possible internal threats. It’s important to protect your company's IT infrastructure, as internal threats are often as dangerous as external. Threats to your business’s IT systems could come from a variety of sources—an individual with malicious intent, an ex-employee, or an employee who didn't intend to compromise security. Such threats can be avoided by implementing a set of policies which must be adhered to by individuals who have access to your company's assets and resources. An effective internal IT security policy is one that is tailored to a company's existing cultural and structural framework to support the daily functions of the business and not impede on its organisation and goals. We've defined five possible threats to your internal IT security, along with five policy suggestions that can help mitigate them.  

 1. Password sharing

Would you share your credit card PIN or bank password? The answer is no—and it should be the same for your work passwords. A study found that of 893 professionals surveyed, 46% shared their passwords with co-workers, despite 67% knowing that it wasn’t permitted under their company’s staff information security policy. We suggest that all individuals within your company keep their passwords to themselves, and that they are changed regularly. If you or an employee think that a password may already have been compromised, or given away to too many people, it should immediately be changed. There may be cases where it seems necessary to share a password— for example if an employee is sick and access is needed to their email. However, in cases like this, your IT team should be able to help provide alternative solutions instead. Suggested policy solution: 'Users must never share their password with anyone—internally or externally.'   

 2. Company leavers 

Once an employee leaves your organisation, you need to make sure they don’t have access to your company's accounts, emails, or files. If their account isn’t removed, or at least their password reset to something sufficiently complex, there is a gap in your security perimeter which is open to exploitation. We're not claiming that all ex-employees are a threat, but to maximise IT security you need to take all necessary precautions. It's also worth noting that you'll need to notify your IT team whenever an employee leaves. They can then completely remove them from the system, and all future access will be denied. Suggested policy solution: 'When an employee leaves the company, their account must be disabled and passwords they’ve had access to changed.'  

 3. Leaked information 

One in four UK employees have intentionally leaked confidential business information to individuals outside their organisation. Such information can be leaked from your company in various ways. Employees may lose an important USB memory stick which contains confidential files, or they may copy confidential files onto their own device. To reduce the risk of employees leaking company information, you can use a firewall that enables restrictions to be put on which devices can be connected to the corporate network, and on what data can be downloaded. Suggested policy solution: 'Employees must not use personal data storage devices with company computers, or copy any sensitive information onto external devices without the permission of their IT team.'  

 4. Downloading harmful internet content

The average employee spends between one and three hours a day surfing the web on personal business. Employees can unknowingly download viruses or malware by browsing the web freely, and by accessing sites which are not relevant to their jobs. Enforcing a policy that controls which sites users can access will not only reduce the risk of security threats, but also increase productivity (since less time will be spent on ‘time-wasting’ sites such as Facebook).  Companies’ policies vary—some ban social media sites altogether, while others allow limited personal use. It's worth investing in anti-virus or firewall software which can filter, monitor, and block harmful content from the internet. Suggested policy solution: 'Internet access is limited to job-related activities only and personal use is not permitted.'  

5. Unauthorised physical access

It's important to prevent unauthorised access to the IT hardware which runs your infrastructure. Any interference with the kit could cause major issues in the running of your business. Keep the hardware room under lock and key, and only allow access to a few of your professionals. We recommend having a system in place where the name, date of access, and reason for access, is recorded. Keep your IT team informed of any access changes. Suggested policy solution: 'Unauthorised access to the server and communications room is strictly forbidden.'    The best way to maximise your internal IT security is to educate your employees. Explain why these policies are in place, and include a consequences section for non-compliance (such as a dismissal or termination of contract). Once the policy is clear, it becomes integrated into the workplace culture, and naturally minimises the chance of a breach to your business's IT security. In the case of a disaster, you should also have a disaster recovery plan in place.   We can help you form a practical set of policies regarding your IT systems. Contact our friendly team today.   
Why you need a disaster recovery plan