Cyber Security Policy

Cyber Security policy for your business – what do you need to know?

It is important to have a cyber security policy if you own a business.  This is not only a guide and reference to be used internally with your employees, but also as a reference point to deal with any external data from customers. 

Your Cyber Security policy should be thought of as a moving, changing entity that will need to be updated regularly to keep up with technological advancements, and any changes within your business. 

What does your Cyber Security policy need to cover?

Firstly no two cyber security policies will be the same. Your Cyber Security policy will be unique to your business, depending on your particular type of business, and what kind of data you deal with. 

The first thing you need to do is to identify the particular risks for your business. If you are an accountant for example, your focus is on how you deal with customers’ personal information, bank details, IRD number etc. 

Once you have worked to clarify your specific risks, you can then prepare for what to do if something goes wrong. Our team has knowledge of a wide variety of industries, and will be able to assist you to clarify what you need to be mindful of. 

Having a clear plan in place, means that everyone in your organisation knows what to do, who is responsible for what, and what processes you have in place to mitigate the risks.  

You will also need to create two cyber security policies. One, an internal one for employees, and the second one is a public one for customers. 

What needs to be included in the Policy?

The below information has been taken from the Cert nz website

Cert NZ suggests that you break your internal policy down into different areas.

Data

This should cover how you handle data safely and securely — both your business’s data and your customers’. Think about:

  • how much to collect
  • where you’ll store it (locally or in the cloud)
  • how to protect it, for example keeping data at-rest (when stored) and in-transit (when communicating) encrypted
  • how often you’ll back it up, and who’s responsible for doing backups.

Systems

It’s important to identify what systems you have, and which ones are critical to your work. Consider:

  • setting some rules around updating, or patching, your systems — how to make sure they’re done regularly and who’s responsible for making sure it happens
  • what systems your staff can use, including any cloud applications or software running inside your business’s network
  • how much access your staff need to your systems. You should make sure your staff only have the minimum level of access in each system they need to do their job. This is what’s called the ‘principle of least privilege’.

Security and protection

Security and protection covers how your staff and customers access your systems and data. It means thinking about:

  • how they can access your systems. For example, your staff may want to work remotely. They should do this by using secure tools, like VPN with 2FA.
  • how they authenticate themselves on your system. This includes your password policy and use of two-factor authentication
  • what devices your staff can use at work. This covers whether staff can use personal devices for work, or if you’ll provide devices to them.

People and users

You need to think about what you consider to be acceptable use of your business’s systems. How do you expect your staff and your customers to interact with them? Make sure you set expectations so they know:

  • what their responsibilities are
  • what kind of things they should report to you
  • how you expect them to take ownership of their accounts and their devices.

Physical devices and systems

When you think about protecting your business’s devices and systems, make sure you cover both:

  • protection against loss — if something is stolen, and
  • protection against the environment — for example, if your business is flooded during a storm and your devices are water damaged.

You can set rules around how your staff can protect their devices against theft by defining guidelines for their use. As an example, you could have all staff protect their devices by:

  • having strong passwords on them
  • using device encryption
  • setting rules for them about use outside the office.

Problems and incidents

You’ll need to define what you and your team will do when things go wrong. This means creating an incident response plan to map out what you’ll do during, and after, a security incident. It can be a stressful time for both you and your staff, so it’s good to be prepared in advance.

What next?

The Ultra IT team are used to helping companies like yourself with creating a Cyber Security policy for your business. Reach out to us here and we can assist you.  

The Cloud – To cloud or not to cloud

What is the cloud? 

The term ‘cloud’ can cause confusion as it can make us believe that data is stored somewhere in the sky. So what is the actual cloud? The truth is that data is still physically stored by companies who offer cloud storage. The cloud is basically “a large computer somewhere else.”  

Cloud storage warehouses are huge business. They have dedicated servers whose sole job is to send and receive data all day. The spaces are massive, with rows and rows of servers, sometimes upwards of 1 million square feet.  

There are two key types of cloud-based services: 

  1. Data centre hosted cloud: This is often used to run application servers or host large volumes of data (too big for 365 for example), that would otherwise need a physical server locally. 
  2. Cloud Apps: These store your data for you on their own cloud, for example Xero or Windows 365. 

Why would you move to the Cloud? 

Storage Space: 

When you move to the cloud, you no longer have to store all that data on your own hardware. You still have access to your documents, media, or reports, but the third-party provider will likely have more storage space and processing speed, making your onsite technology function better.  

Minimising Risks: 

By moving to the cloud, you are cutting out common cybersecurity risks. You don’t risk storing data on laptops, which can get lost or stolen. You also end the need for thumb drives (or USB drives), which can also be stolen or lost. Plus plugging in these external devices can also expose you to viruses or other risks. 

Security: 

Sometimes we feel our data is more secure having our data on-premises, but these days that isn’t always the case. Data can be safer in the cloud than on-site at your business. 

Advantages of the Cloud: 

  • Backing up to the cloud stores data on an, external, secure server. If thieves take your computers and USB backup, you can still access your data on the cloud.  
  • Cloud storage providers build in redundancy to ensure your backup remains safe.   
  • The Cloud providers also encrypt data during transit to further ensure compliance and security.  
  • Migrating to a third-party cloud storage service also cuts the clutter at your premises.  
  • You can count on expert help to ensure security and compliance. 
  • Plus, you can cut operational costs by offloading in-house storage or external hard drive expenses.  
  • A hacker can use malware or phishing emails to target the data on your business devices. These cyberattacks don’t work in the cloud. Ransomware may work on an individual user’s device; however, it is a lot harder to access the larger data stored in the Cloud. 
  •  If a natural disaster hits one server site, they will offer continued access from another site. 

 When the Cloud might not be your best option: 

Internet Connectivity: Cloud migration makes your business reliant on internet connectivity. If you have frequent outages or slow speeds, these conditions are not great hosts for cloud computing. Make sure to get this sorted out with your IT Alliance member first. 

Large amounts of Data: For some companies that have huge amounts of data transfer, such as video editing, the cloud may not be the best option.  

Limited local support: A lot of the Cloud storage centres are overseas, which may mean that the support is limited, and service sub-par.  

Costs of the Cloud: The costs can be high with cloud hosting and sometimes. In talking with your IT Alliance member, you can work out what is the best option for your business.  

“One IT Alliance member moved their client from Cloud hosting to a physical server as the client had experienced such rapid growth that the fees for the cloud were becoming hefty. The savings worked out to be over $50,000 to purchase a physical server and pay for the IT Alliance members services” 

Making your data more secure in the Cloud: 

Encrypt your data: Make sure you contract with a provider who will encrypt data in transit. This makes it more difficult for hackers to get at your information. 

Multi-Factor Authentication: Enabling multi-factor authentication can also help secure data by adding layers of security. It moves your data security beyond just asking for a username and password.  

Compliance Regulations:  Depending on your industry, there may be particular standards for data storage. Encryption is a common compliance expectation. 

Training your team: Training your team on the importance of securing data is important, especially with people working remotely and connecting from off-site locations. 

What next? 

To cloud or not to cloud is a question that requires discussion. Our team can help you find the right solution for your individual needs and assist you with the process.  Contact us here