To protect your business from e-Crime, it is good practice to implement IT security policies, outlining the general rules that should be followed to minimise IT security risks. Policies define what behaviour is and is not allowed. These can be used by management and employees alike to ensure optimal working practice and network protection.

Steps to protection:

1. Ask yourself the following before developing IT Security policies:

• What am I trying to protect?
• Why am I trying to protect it?
• What happens if I fail to protect it?

You should develop clear policies that take account of the most common or most likely risks to your data, given the nature of your business and your type of computer usage.  The policies should not be lengthy or complicated but should provide a reference point for all staff.

2. An important policy to develop is what you consider as ‘acceptable’ business use of your Internet and email systems, as casual or ‘unrestricted’ use is typically the means by which viruses will get into your network. Download a personalised Acceptable Use policy using the form below:

3. IT security policies should cover how you plan to protect yourself from both external threats such as viruses and internal threats such as theft of data. These areas to protect could include:

• Login identification for using IT systems.
• Logical access controls – limiting access to information and restricting access to the level needed for each job.
• Confidentiality rules for customer and business information.
• Plans for business continuity management.
• This list is not exhaustive. For some more examples visit http://www.sans.org/resources/policies/ and download their template policies.

4. Remember that not all attackers need be external to your organisation. That doesn’t mean you should automatically be suspicious of every member of your staff but don’t rule out the possibility. Employees can compromise colleagues’ machines using tools readily available from the Internet when there is poor network security. These hackers have tools to spy on others’ actions, view information outside of their job function, stalk and harass others, and plant inappropriate content on others’ machines.

Finally, no matter how comprehensive your security policies are, or how well the controls have been implemented, the security of your network ultimately depends on the people who use it. Ensure you can and will enforce any policies you implement, and you communicate to and educate the users of it. All policies should be accepted by signatures.

If everyone understands why security controls are needed and their own responsibilities for them, you are less likely to have a security breach. People are your best line of defence – especially if they are well trained and informed. Any information security initiative should be inclusive and accompanied by appropriate training.