For this post, I interviewed cyber security expert Emma Osborn of OCSRC Ltd. Emma has recently produced a range of template cyber security documents in collaboration with SEQ Legal (available on Docular and Website Contracts), and in this post we explore the function of these documents in the context of small and medium-sized businesses.
Q. What types of small business are most exposed to cyber security risks?
A. Cyber security risk can be classified as relating to confidentiality, availability and/or integrity. The most vulnerable businesses are those that store large amounts of confidential information or highly confidential information, or that provide or use systems that need to be always-on, or that need to ensure that the data they hold is 100% accurate. For example, an online shop selling physical products might be relatively low risk, whereas a cloud services provider in the medical sector might be relatively high risk.
Q. What's the difference between a cyber security policy and an information security policy?
A. There is a difference in principle; but usually no difference in practice. It lets security experts do things like talk about the evolution of best practices; small businesses will not however want to differentiate, and all information and IT-related security issues should be covered in a single policy, whatever it is called.
Q. Cyber security issues may affect businesses using information technology irrespective of size. But at what point in the growth of a business should the approach to cyber security issues be formalised by means of a written policy?
Businesses with very small, tightly-knit teams sometimes have enough oversight to achieve superior (if less demonstrable) security to larger businesses with formal systems. However, there comes a point in the growth of an organisation when some communication channels become too shallow or convoluted, and team culture cannot alone ensure security. In one sense, an end user cyber security policy is simply a communication tool, and when informal communications are insufficient, formal communications should take their place. We should distinguish here between "end user" policies and "supply chain" policies. Supply chain policies may be imposed upon businesses of any size by their customers. For example, if you are selling cloud services to a large institution you will likely find that they insist that you operate a formal cyber security policy. They may ask for that policy to be incorporated into the contract of service.
Q. In your experience, what proportion of small businesses have implemented formal cyber security policies?
The coming into force of the GDPR was a watershed moment here. Before the GDPR, only a small number of small businesses had produced formal policies. Now, they are not at all uncommon, particularly amongst small technology businesses.
Q. What approach should a small business take when putting together its first cyber security policy?
First, assess the risks – then, match the policy to those risks. Whilst there are some fairly universal rules (for instance, passwords should be strong and unique), much will depend upon the business in question and the environment in which it operates. If you don't have the expertise in-house to assess the risks or prepare a matching policy, then you should engage an external specialist to help.
Q. When implementing a policy, how do you strike the right balance between having sufficiently detailed rules and ensuring the policy does not grow too long?
Rules which are not followed are worse than useless, and a policy must not be so complex that it leads to significant levels of non-compliance. More detailed policies may be justified where risks are high, where staff have lots of time to spend on cyber security and where staff have the skills and motivation to engage with detailed rules. However, a short policy always has a better chance of being assimilated. Where a business is giving contractual commitments to customers, a high level of compliance will be needed.
Q. Once a policy has been drafted and approved by management, how do you guarantee that it won't gather dust on a shelf?
Training is the key here. Initial training when a policy is first implemented and for new employees; and refresher training as memories grow old and the policy evolves.
Q. How often should a cyber security policy be updated?
Contracts often require annual updates, what is appropriate for a business from a pure risk management perspective will vary with context, bit cyber security policies are living documents. The tendency is for policies to grow during the updating process, both due to growth in the complexity of the business and the (now trained) staff gradually developing a security culture. But beware of making things too difficult – not everyone will be interested and new staff have to start from scratch!
Cyber security templates
You can get hold of copies of the Emma's cyber security-related templates on Docular via the following links.
End user cyber security policy documents:
Supply chain cyber security policy documents:
Cyber security incident response policy document: