Cyber Security Policy
Cyber-Security Policy
Policy Brief & Purpose
Our company cyber security policy outlines our guidelines and provisions for preserving the security of our data and technology infrastructure.
The more we rely on technology to collect, store and manage information, the more vulnerable we become to severe security breaches. Human errors, hacker attacks and system malfunctions could cause great financial damage and may jeopardize our company’s reputation.
For this reason, we have implemented a number of security measures. We have also prepared instructions that may help mitigate security risks. We have outlined both provisions in this policy.
Scope
This policy applies to all of our employees and anyone who has temporary or permanent access to our systems and hardware.
Policy Elements
Confidential Data
Confidential data is secret and valuable. Common examples are:
- Unpublished financial information
- Data of customers/partners/vendors
- Patents, formulas, or new technologies
- Customer lists (existing and prospective)
All employees are obliged to protect this data. In this policy, we will give our employees instructions on how to avoid security breaches.
Personal and Company-Issued Devices
When employees use their digital devices to access company emails or other accounts, they introduce security risk to our data. We require our employees to keep both their personal and company-issued computer, tablet and cell phones secure. We have implemented the following procedures to enhance the security of personal digital devices:
- All email accounts are password protected in addition to the use of multi-factor authentication.
- A robust Endpoint Detection and Response solution is installed and maintained an on all computers.
- Employees are not allowed leave their devices exposed or unattended without being locked.
- Devices are configured to lock after being idle and require a password to unlock them.
- Security updates are pushed out monthly or as soon as they are available.
- Remote connection to company systems are only allowed through secure VPN connections.
In addition, we do not allow our employees to access internal systems and accounts from other people’s devices or lend their own devices to others.
When new hires receive company-issued equipment they will receive instructions for:
- Setting up multi-factor authentication for their email account
- VPN connectivity to access internal resources
- Cyber-security awareness training
They should follow instructions to protect their devices and refer to our Security Specialists if they have any questions.
Keep Emails Safe
Emails often host scams and malicious software (e.g., worms.) In addition to utilizing an industry leading spam filtering service, we instruct employees to:
- Avoid opening attachments and clicking on links when the content is not adequately explained (e.g., “watch this video, it’s amazing.”)
- Be suspicious of clickbait titles (e.g., offering prizes, advice.)
- Check email and names of people they received messages from to ensure they are legitimate.
- Look for inconsistencies or giveaways (e.g., grammar mistakes, capital letters, excessive number of exclamation marks.)
If an employee isn’t sure that an email message they received is safe, they can refer to our Security Specialists.
Manage Passwords Properly
Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure so they won’t be easily hacked, but they should also remain secret. For this reason, we require our employees to:
- Choose passwords with at least eight characters (including capital and lower-case letters, numbers and symbols) and avoid information that can be easily guessed (e.g. birthdays.)
- Remember passwords instead of writing them down. If employees need to write their passwords, they are obliged to keep the paper or digital document confidential and destroy it when their work is done.
- Exchange credentials only when absolutely necessary. When exchanging them in-person isn’t possible, employees should prefer the phone instead of email, and only if they personally recognize the person they are talking to.
- Change their passwords every 90 days.
Transfer Data Securely
Transferring data introduces security risk. Employees must:
- Avoid transferring sensitive data (e.g., customer information, employee records) to other devices or accounts unless absolutely necessary. When mass transfer of such data is needed, we request employees to ask our Security Specialists for help.
- Share confidential data over the company network/ system and not over public Wi-Fi or private connection.
- Ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies.
- Report scams, privacy breaches and hacking attempts
Our IT consultants need to know about scams, breaches and malware so they can better protect our infrastructure. For this reason, we advise our employees to report perceived attacks, suspicious emails or phishing attempts as soon as possible to our specialists. Our Security Specialists will investigate promptly, resolve the issue and send a companywide alert when necessary.
Our Security Specialists are responsible for advising employees on how to detect scam emails, so they perform regular phishing attack simulations and report the results back to our management team. We encourage our employees to reach out to them with any questions or concerns.
Additional Measures
To reduce the likelihood of security breaches, we also instruct our employees to:
- Report stolen or damaged equipment as soon as possible to our HR department and our Security Specialists.
- Change all account passwords at once when a device is stolen.
- Report a perceived threat or possible security weakness in company systems.
- Refrain from downloading suspicious, unauthorized, or illegal software on their company equipment.
- Avoid accessing suspicious websites.
We also expect our employees to comply with our social media and internet usage policy.
In addition, our Security Specialists:
- Install firewalls, anti-malware software and access authentication systems.
- Arrange for security training to all employees.
- Inform employees regularly about new scam emails or viruses and ways to combat them.
- Investigate security breaches thoroughly.
- Follow this policy’s provisions as other employees do.
Our company considers it the highest priority to protect information.
Remote Employees
Remote employees must follow this policy’s instructions as well. Since they will be accessing our company’s accounts and systems from a distance, they are obliged to follow all data encryption, protection standards and settings, and ensure their private network is secure.
We encourage them to seek advice from Security Specialists.
Disciplinary Action
We expect all our employees to always follow this policy and those who cause security breaches may face disciplinary action:
- First-time, unintentional, small-scale security breach: We may issue a verbal warning and train the employee on security.
- Intentional, repeated, or large-scale breaches (which cause severe financial or other damage) will invoke more severe disciplinary action up to and including termination. We will examine each incident on a case-by-case basis.
Additionally, employees who are observed to disregard our security instructions will face progressive discipline, even if their behavior hasn’t resulted in a security breach.
Take Security Seriously
Everyone, from our customers and partners to our employees and contractors, should feel that their data is safe. The only way to gain their trust is to proactively protect our systems and databases. We can all contribute to this by being vigilant and keeping cyber security the highest priority.