Malware Manual – Part 2: Building Your Cybersecurity Policy

Businesswoman holding digital tablet with showing umbrella icon on blackboard, insurance concept
  • August 8, 2017
  • Print This Post

Malware breaches are proliferating, per recent research shared by TechRepublic.

The digital investigation firm Guidance Software surveyed more than 300 professionals in North America that hold IT security positions or perform tasks that fall within the IT security realm. Here are a few of the trends researchers discovered:

  • More than half (56%) the organizations polled reported breaches in 2016; 65% already have reported them in 2017.
  • A quarter of organizations canvassed reported financial losses in 2017 due to security breaches; one in five of those that were targeted reported losses of more than $1 million.
  • The number of IT professionals who say they plan to build formal security teams this year doubled—from 12% in 2016 to 24% in 2017.

Is your organization among those fortifying its cybersecurity team? If so, congratulations. You’re among the minority of small to mid-size businesses (SMBs). The shocking facts are:

  • Most SMBs are short-staffed for cybersecurity.
  • Many don’t budget for cybersecurity.
  • And many are in the dark about data breaches.

(Read the details behind the bullets above in our recent post.)

Those realities are among the reasons we encourage readers adhere to the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). The first tenet of the framework is “Identify,” and one part of this initial phase of improving your cybersecurity posture is developing “risk management strategy.” And perhaps the most essential element of any business strategy is crafting policy.

How do you build a cybersecurity policy? We found a step-by-step primer in a recent column for CSO magazine by infosec expert Jennifer Bayuk. Here’s a digest of what Bayuk recommends should go into your cybersecurity policy, with a few instances of our particular spin on the issue:

  1. Scope – all systems, facilities, programs, data, networks and technology users, without exception.
  2. Classifications of information should be content-specific – e.g., “financial” or “customer” data — not generic, such as “confidential” or “restricted.”
  3. Set management goals for secure handling information in each classification you create.
  4. Put cybersecurity policy in context with other management directives and documents. In short, your cybersecurity should be consistent with all other management policies – and endorsed by all your senior executives.
  5. Include references to supporting documents (e.g., roles and responsibilities, process, technology standards, procedures, guidelines, etc.)
  6. Give specific instructions with mandates – e.g., “All access to any computer system requires identity verification and authentication – no sharing of individual authentication mechanisms.”
  7. Designate specific responsibilities – e.g., “Individual system users are responsible for changing passwords on a quarterly basis; our IT managed services provider (MSP) is responsible for prompting users on this cycle.”
  8. Establish specific penalties for failing to comply with policy – for personnel and partners alike. And put some teeth in those consequences, such as dismissal for employees and contract termination for vendors.

After tackling items one through eight, Bayuk stresses – and we concur – that securing support from your leadership team should be your highest priority, as consensus will lend authority to enforcement.

Need Help With
Your IT?

Find a Location


Need Help with your IT?

Find a Location
Near You.


into the evolving world of IT for business.
Subscribe now.

Follow Us
Friend me on FacebookFollow me on TwitterFollow my company on LinkedInRSS Feed

Follow us on Twitter


ITinflections is a blog that covers a wide range of technology-based articles IT in the workplace, focusing on small- to medium-sized businesses.

If you’re looking to improve your company’s productivity through the effective use of technology, enjoy ITinflections, the blog about technology for business.