“Do we need an IT and data security policy? If we do, what should it cover?”
If you’re like many business owners, these are questions you’ve been asking yourself. And here are the definitive answers.
For starters, yes, every business entity in every market should have such a policy in place. The growing incidence of data breaches tops the list of rationales behind this statement. According to Verizon’s “2018 Data Breach Investigation Report,” published this past April, the number of reported data breaches has risen “significantly”: As an example, 39 percent of respondents—double that of last year’s report—claimed to have experienced malware-related breaches in the previous 12 months. The cost of data breaches is equally significant, ranging from $2.2 million for incidents with fewer than 10,000 compromised records to $6.9 million for incidents with more than 50,000 compromised records, reveals the annual “Cost of Data Breach Study” conducted by the Ponemon Institute.
But these aren’t the only reasons all companies need an IT and data security policy. An equally compelling argument is the fact that having IT and data security policies and procedures in place is also often required for compliance with federal, state, and industry regulations and standards, like the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA), to name a few.
What’s more, by providing employees with direction and guidelines around factors that impact IT and data security (for instance, which individuals have access to specific data or how to handle email), companies minimize their risk of data breach. That risk cannot be underestimated, especially when you consider the negative impact on your company’s reputation—and potential loss of business—that follow once word of a data breach leaks out.
As for the content of an IT and data security policy, this will vary a bit based on the nature of a given business. However, all policies should stipulate employees’ responsibilities on the security front—how to handle each type of data (confidential, internal, general, and data intended for recipients outside the company) as well as which data individuals with different responsibilities are permitted to access and, if applicable, to distribute. Policies governing remote access to information systems; the security of systems components (e.g., routers and switches); and the implementation of software patches (how and when) to eliminate vulnerabilities and guard against threats belong in the document as well.
It’s equally important that every IT and data security policy incorporate a schedule for performing critical vulnerability assessments and compliance audits. Just as significantly, include system data security policies that specify the security configuration of all servers and operating systems and lay out password management, firewall, database, and antivirus policies. Add measures for evaluating and reporting data security breaches; procedures for monitoring compliance with policies; and acceptable use policies covering the Internet as well as personal and company-owned devices. Clarify the consequences of employee failure to comply with the policy.
IT and data security are not a matter to be taken lightly. Taking the time to create a policy that minimizes risk—and revising it as circumstances dictate—will pay off handsomely.