Do You Have an Employee Cyber Security Policy?

Human error is often overlooked when it comes to keeping a companies data safe. It is estimated that nearly half of all data breaches can be linked to human error. Although human error can never be eliminated entirely, incidents can be reduced by establishing clear cyber security guidelines and providing regular employee training.

The first step in reducing the role of human error in cyber security incidents is to establish a cyber security policy for your employees that states the do’s and don’ts of cyber security. To help you get started, here are some basic points to include in your policy:

1. Emphasize the Importance of Cyber Security

You policy should start off by explaining to the employee the importance of keeping the company’s data secure, as well as

2. Teach Effective Password Management

Passwords can make or break a company’s cyber security system. Include guidelines on password requirements (for instance a combination of lower case and upper case letters and numbers), how to store passwords (no post-its on your monitor!), how to share passwords (share in person or use the phone instead of email), and how often to update passwords. Also, warn employees not to use the same passwords on different sites. Single sign on password management software is a good idea if your employees log into numerous websites or web applications.

3. Detect Phishing and Other Scams

Describe the different kinds of phishing emails and scams employees can be presented with and how to spot something ‘fishy’. If employees receive an email that looks out of the ordinary, even if it looks like an internal email sent by another employee, they must check with the sender first before opening attachments. When in doubt, go to the company website instead of clicking on a link in an email. Scams can also be perpetrated over the phone, so warn employees about people calling and asking for confidential company information.

4. Apply Updates and Patches

Inform employees to update anti-malware programs, web browsers and other programs regularly and do full malware scans at least once a week. Ofcourse if you have an IT department, or a provider such as Zeta Sky, this should be done automatically.

5. Protect Sensitive Information

Attackers are often after confidential data, such as credit card data, customer names, email addresses, and social security numbers. When sending this information outside of the organization, it is important that employees understand they cannot just send the information through email. A secure file transfer system must be used that encrypts the information and only allows the authorized recipient to access it.

6. Lock Computers and Devices

When employees leave their desks, they must lock their screens or log out to prevent any unauthorized access. Laptops must also be physically locked when not in use.

7. Secure Portable Media

When using portable devices such as mobile phones and laptops, passwords must be set to limit access. When bringing in portable media such as USB drives and DVDs, it is important to scan these for malware when connecting to the network. Mobile Device Management (MDM) software is a good idea for a company that has many mobile users. It allows you to segregate the personal use of the device with the business use and put in place security measures that help safeguard company data, as well as destroy that data should the device be lost, stolen, or no longer used for business.

8. Report Lost or Stolen Devices

Advise employees that stolen devices can be an entry point for attackers to gain access to confidential data and that employees must immediately report lost or stolen devices. Often the IT department can remotely wipe devices so early discovery can make all the difference.

9. Take Active Role

Explain that employees  take an active role in security. If they see suspicious activity, they must report it to their IT administrator. If employees become aware of an error, even after it has happened, reporting it to IT means something can still be done to minimize the damage. Cyber security is a matter that concerns everyone in the company, and each employee needs to take an active role in contributing to the company’s security. Cyber security awareness programs should be provided to ensure every employee understands how to recognize a threat.

10. Web Content Filtering

Inform employees that web browser activities are monitored and filtered to prevent employees from visiting inappropriate and/or infected web pages. Web content filtering can be used as a tool to reduce lost productivity, but is also essential in reducing the risk of an employee visiting a spoofed site after clicking on a Phishing email.


The cyber security policy should be included as part of the employment agreement, and regular cyber security training should be scheduled to make sure that employees understand the guidelines and are up to date.

Posted in: