A Cybersecurity Policy is an important document to write and implement for your firm, regardless if you are a solo practitioner, a five-person office or a thirty-person firm.   It is one of the components for Cybersecurity Insurance and corporate clients now request copies of their outside counsel’s Cybersecurity Policy.  All employees should read and sign the document.

The task of writing a Cybersecurity Policy may seem daunting, but once you have a few good sample policies, it is not difficult.  You just need to take the time to write it.  Consider it a work in progress, because as methods of cyber hacking change, so will the policy.

The Cybersecurity Policy should start with a definition of “Cybersecurity.” Cybersecurity is the practice of protecting your computer hardware, software, network, and data from unauthorized access.  Unauthorized access can be from physical or digital attacks.  Think about some of the things you have in place to protect the computer network and those are the types of things that you are going to include within your Cybersecurity Policy.

The policy should then state that the technology that is provided to the Employee is for the sole use by the Employee, meaning that any laptops that are taken home should not be used by a spouse, children, or others.  Use by any others automatically creates a breach of the policy.

How the firm handles passwords and password changes should be included; for example: Employees will practice long, strong passwords and take precautions to prevent others from obtaining their passwords.  Employees will adhere to the Company Password Change Policy every 90 Days.  Employees will not share their computer network passwords with others or display their passwords.  They will keep their passwords confidential.

Next, address how data and information is stored and copied; for example, Employees will not copy, make digital copies, or remove client data or information from the Company premises or Servers except to conduct Company business. Copying Company information or client information onto Cloud Servers is prohibited without prior consent. Use of peer to peer file sharing applications is prohibited without prior consent, as well.

Another item within the policy should include anti-virus software, along with patches and updates to the operating system and software applications.  The policy would state that the Company has anti-virus software and malware software on the Company network, pc’s and laptops. The Employee should never turn off or disable the software, patches and updates, and the Employee should make every effort to make sure that their pc or laptop is up-to date and that these protections are constantly running.

State within the policy that Employees should follow safe computing practices and will not open emails from unknown sources.  Additionally, Employees should not open suspicious emails, links, popups, or downloads and should notify management immediately if they do so.  Do not chastise an Employee if they come to you after they have accidentally opened a suspicious email or link.  Instead, you want to know immediately when they do and they should receive praise that you can quickly overt a potential threat because they came to you.  Employees should receive annual Cybersecurity Training so that they can learn about the latest potential types and style of threats.

Again, if remote access is granted to the Employee, then the remote pc or laptop should only be used by the Employee.  This should stress the importance to the Employee that by sharing their device with others, it compromises the security for the firm.  If the Employee is using their own pc or laptop, then the remote PC must have a supported operating system with the latest patches and updates, up-to-date anti-virus software that is functioning properly, and updates applied to MS Office and other software applications they may use from home.  Employees are not to use public shared PC’s for remote access (i.e., Kinkos, Library, Hotels) and Employees should shut down their laptops when traveling.

If you write a Cybersecurity Policy that includes the above items, it will be a good start.  Include a signature line and date for your Employees to sign and date the document after ready it.  As cybersecurity threats change, so will your policy.  It is something that you should edit and update annually.

 

Alicia A. Slade, MS, MBA, is the President of Plummer Slade, Inc., a computer networking and IT solutions firm located in downtown Pittsburgh.  Plummer Slade provides computer networking, MSP services, and software application solutions to hundreds of law firms in Pittsburgh and the surrounding area.  Plummer Slade is exclusively endorsed for IT Solutions by the Allegheny County Bar Association (ACBA).  Alicia has been a Technical Consultant for over 30 years and can be reached at 412-261-5600 x202 or slade@plummerslade.com.