When the martians come: policy and procedure tips for cybersecurity
No matter what business you’re in, you’re likely to rely on information technology(IT).
In social service, health and education agencies, we use IT for a multitude of functions – enrolments, intakes, planning etc. Essentially, we would be lost without it.
But have you given sufficient thought to preventing and defending against cyber threats?
If you think that cyber attacks are still the stuff of sci-fi movies then think again. It was only 6 weeks ago that the New Zealand Stock Exchange was rendered inoperative because of a cyber attack. Not just once but multiple times.
We are all vulnerable and need to be on guard to prevent and defend against attacks. We need to become cyber-brave!
A good start
For cyber smart week, CERT NZ has published some basic tips to help each of us improve our defence against cybersecurity attacks. These include password protection, install updates and using multifactor authentication for login access.
We all need to be cyber-aware but it’s especially important if you’re an organisation. Awareness means understanding and regularly reviewing your cyber risks. There may be risks to individuals, your functions, finances, reputation and/or to your agency’s very existence.
Knowing the risks, will guide the safeguards you need to take and what your policies and procedures should address to help you prevent and respond to cyber-attacks.
You need policies and procedures
Given the rate of change in the IT world, it’s important to review and update your policies and procedures to cover off the “must-dos” for your organisation’s security. Key areas to cover include:
- acceptable use of information and communications technology
- access to data
- remote working
- incident planning.
Staff should be trained to implement the policies and to maintain cyber awareness.
Acceptable/unacceptable use of electronic devices at work
Your policies should cover the use of personal devices eg cellphones, as well as what may or may not be done on work computers eg internet and email access not to be used to download unauthorised software and install games and prohibitions against activities such as gambling and use of pornography.
Access to data
As a general rule, access to data should be restricted to those who need it for work purposes. This helps prevent data breaches. It also helps protect privacy which can be jeopardised by unauthorised access to client or staff personal information.
You should have clear procedures in place for removing and changing access rights as people change and leave roles. No one should have access to data and systems they don’t need for their work purposes.
With COVID-19, remote working is much more prevalent. But with remote access, there’s potentially more pathways for cyber attacks. Your policies and procedures can help manage these risks. For example:
- outline organisational responsibilities like organising a VPN
- state the safeguards to be taken by staff/remote workers – that they use their home internet to access the work network and notify management immediately of any unusual events on the system.
If personal devices are used, precautions by remote staff can include:
- keeping their operating system up-to-date
- using a strong password and multi-factor authentication
- uploading documents they save locally to the network
- running and updating their antivirus software regularly.
Incident planning and responses
Your policies and procedures should guide staff when responding to a cybersecurity issue, in particular:
- who they should notify if concerned
- who will manage recovery from the incident
- who should be told (eg Privacy Commissioner from 1 December for serious privacy breaches)
- how to use data backups and resume operating
- steps to mitigate and prevent a recurrence of the incident.
Even though it may feel like a minefield, grow your awareness and become cyber-brave.
The Martians may or may not be coming. But either way, it’s best to be prepared.
If you’re wanting your policies and procedures reviewed and updated, contact us. We aim to protect social service, childcare, health and tertiary education agencies from risks of non-compliance with regulations and standards.