How to approach IT & data protection policies and procedures
What are you obligated to do?
The SRA information & cybersecurity rules expect firms to “Have policies and procedures in place to protect information and money”.
Why do this?
Our modern-day reliance on technology is astronomical. As a legal practice, the sensitive data, the importance of communications you process on that tech, and the sometimes vast amounts of money you handle, all make you a very attractive target for cyber criminals.
Having stringent policies and procedures in place, based around the safety of monies and information, is therefore imperative.
You may have the best intentions, be approaching the cyber security of your organisation with your best foot forward, and be willing to invest greatly in the prolonged cyber safety of your organisation – and that’s great, but if your team don’t conduct themselves in the same way there is almost no point. This is why policies are important because having a policy and a set of procedures regarding the protection of information and monies written down and easily accessible to all gives your team a clear set of instructions to ensure they are doing all they can in protecting that information and monies in your organisation. You can also break down your organisation into component parts and see where changes need to be made, whether it’s personnel problems or technical, and make changes to ensure they perform as they should be.
How do I create and implement policies and procedures?
We have created a fool-proof nine step guide to creating and implementing policies and procedures that will benefit your organisation. Let’s check them out:
- Identify risks within your business
You first need to identify the potential risks to your organisation, and must ask yourself questions - do you have information that should be restricted? Do I – or the team – send or receive large attachments and files on a regular basis? Keep going, pose as many queries as you need, and, in this way, you can dissect your organisation and give yourself a real chance to find the holes in your security. The holes you find have the potential to be the access that cyber criminals need to take you for a ride and cost you thousands. Many of the vendors you get your internet security products from allow evaluation periods, so, if any of these products provide reporting information, use them! Use these evaluation periods to assess the risks your organisation is potentially facing.
- Learn from your rivals
It can be difficult accepting that your rivals are doing well, but, if they are, why not learn from them? Again, ask yourself some questions - how have they managed to stay secure (when they are doing the same job as you)? How can you mimic them in a way to match, and then exceed, their levels of security?
- Mirror levels of security with levels of risk
Overkill is a possibility when it comes to cyber security. We know this changes the tone from what we have previously been pushing but that still stands - cyber security should be at the very heart of your business concerns - but don’t go in too hard! Too much security can be just as bad as not having enough. You may have a very capable, responsible, dedicated, and mature team of individuals who you trust to navigate and operate the system appropriately. Under these circumstances you can simply write a code of conduct for the team to adhere to alongside the technical measures you have already successfully implemented. Overkill security can slow down workflow and damage business operations, so be sensible!
- Include the team
Include your team in the conception of policies and procedures. We’ve all been there when the ‘big boss’ (who has never even done your job before) comes over telling you how to do it ‘properly’ or ‘better’ - this can be an extremely frustrating and demeaning experience for the team members involved. Your team are the experts, they do that job day in day out and use those tools all the time, so therefore they are the best people to consult about how to complete their job as efficiently as possible. By doing this you are also improving relations between different points in the hierarchy of your organisation - as management you should discuss with your team why the policy is being introduced and all the procedures surrounding it, and this will make them more likely to comply.
- Train the troops
You must train your team on the ins and outs of the policy and procedure around it. This will help you to inform your team and help them to understand whilst also allowing you to discuss the real-world implications of the policy personally. Ensuring the troops are trained is important - after all, as we said, they are the ones that need to adhere to it every day, so if they don’t understand what is expected of them then why bother introducing new procedures at all?
- Write it down and make it accessible
Make sure every team member, no matter their station, reads, signs, and most importantly understands the policy. Everyone must be required to ‘refresh’ their understanding of the policy periodically. There are even tools that provide quizzes to test a user’s knowledge of the policy if you want to be certain.
- Outline the sanctions in place for breaches of policy
The policies and procedures you have put in place are NOT recommendations or guidelines - they are rules! They must be adhered to! Outlining to your employees the consequences of a breach is integral, and you must be sure they know you will enforce the rules. Having a policy in place that no one adheres to can be a security risk in its own right and can be as bad as not having one in the first place.
- Update your team
As your network evolves so should your policies. The workplace is constantly evolving and changing (be it in the form of new security risks, a change of emphasis, or a change of team members), so it is essential that your policies and procedures mirror those changes. You must, however, keep your team aware of any changes that are going to affect their day-to-day work.
- Install the correct tools that you need
Internet and e-mail content security products with customisable rule sets can ensure that your policy, no matter how complex, is adhered to. It can be very expensive (depending on the level of tools that your organisation requires in order to guarantee the best possible levels of cyber security), but you will find that this investment is worthwhile in comparison to the cost of repairing the damage done by cyber criminals.
Completing these nine steps will give you confidence that your system is as safe as possible from cyber crime. Your team are the front-line defence of your systems every day, and now that your policies are going to be adhered to you can be certain that they are equipped with everything they need, as well as an incentive to continue working as securely as possible.
Do you need to assess the threats to your practice?
Are you nervous that the cyber security of your organisation is not up to scratch? Are you actively seeking a way of tackling the threats to your organisation? Perhaps you need to prepare for an SRA ‘Stress Test’, or are considering implementing Cyber Essentials Plus? Whatever the case, we are the strategically aligned IT partner for you. We pride ourselves in being the go-to IT company you need to prepare your defences against whatever cyber criminals have up their sleeve, and, with our extensive knowledge of the legal system and the compliance obligations you as a legal practice must adhere to daily, we are perfectly positioned to be the ideal partner for you.
Please don’t hesitate to get in contact with our team to learn more about us and what we can offer you going forward.
We're Datek Solutions
Since 1998 we have been managing IT support, solutions and strategy for a range of clients. We have won awards for our excellent customer service and pride ourselves on being transparent. What you see, is what you get.
What makes us different? We don’t use a one-size fit all approach. We get to know your business and everyone in it, what it needs and how we can support you to give the best solutions at the best possible prices.
Above all this, we are committed to keeping it simple for you. If there’s a solution that your company needs, or you already have and it’s essential we support it, we make sure we know everything there is to know about it.
Contact us on 01753 540000 or email us at contactus@datek.co.uk.
