Three (3) Reasons for Policies and Procedures:
All businesses are governed by laws, regulations, and legislative controls enacted by the countries in which they operate. Policies and procedures help companies comply with the regulations. Through policies and procedures companies may also reduce their liabilities and improve their cybersecurity best practices. These three benefits are the primary reason why so many companies create a robust policy and procedure program. Governance policies and procedures often lead to:
- Employees who understand what’s expected.
- Management that can be held accountable.
- Technology that’s robust enough to avoid costly data breaches.
- Protection from frivolous employee lawsuits.
This article focuses on the three main benefits of Regulatory Compliance, Liabilities, and Best Practices.
Laws and Regulatory Compliance:
From the California Consumer Protection Act (CCPA) and the Health Information Protection and Accountability Act (HIPAA) to the Payment Card Industry (PCI) regulations, all businesses today must wade through laws and regulations in order to sell their goods and services. Human Resource (HR) and Cybersecurity Procedures policies and procedures help meet compliance obligations while avoiding fines, law suits, and data breaches. A concise and easy-to-read set of policies will help protect your company from these challenges.
Liabilities: Risk Reduction
Successful companies begin to accumulate wealth in the form of assets. However, liabilities don’t just sit on the other side of the general ledger. Policies and procedures can help defend a company from an employee lawsuit. For example, if someone complains about being bullied at work, a company with robust policies can point to an employee handbook to prohibits such behaviors, and outlines a process to follow for employees to file a complaint if they feel they have been harassed in any way. A strong HR handbook will also draw attention to non-retaliation guarantees for complainants. If legal proceedings come, this company will be well prepared to defend itself not only to the letter of the law, but also within the spirit of the law. They have reduced their liability exposure. To end the discussion here would be a disservice. For these companies have also set best practice expectations with employees and its to this that we turn for our final benefit.
Adopting Best Practices
Employees generally want to do the right thing. Often, the only way to guide their behaviors consistently over time is to codify those best practices within the employee handbook as well as specific cybersecurity policies and processes. In so doing, employees can learn how to behave within the business, how to escalate concerns before they become untenable, how to properly operate technology, and finally, how to operate the business safely and securely.
In one company CyberHoot has consulted with, a Wire Transfer Process was implemented and within 6 months had helped to prevent a fraudulent wire transfer of over $50,000. The finance person involved was able to follow a process to verbally confirm a change in wiring instructions received from a vendor and after calling identified the vendor’s email account had been breached and a hacker had inserted new wiring account information into the discussion. Without the best practice of calling all wire transfer changes for verbal confirmation, $50,000 could have disappeared in an instant.
Conclusions:
Policies and procedures are a critical component of all defense-in-depth cybersecurity programs. These documents must be kept current by updating them at least bi-annually, they need to be automatically communicated to employees upon hire, and they need to adapt to changing circumstances. In the spring of 2020, the entire world adapted to a Pandemic outbreak and policies on Work-from-Home had to be updated to accommodate this new reality. Strong communication is a key to running a successful business. Policies and procedures are one of the best tools to accomplishing sound communication and expectation setting with employees.