Responsibility for policy: Technical Director
Approving authority: Board of Directors
Last reviewed: August 2022
Next review date: August 2024
PURPOSE
This Cyber Security Policy includes guidelines and provisions for security measures to help mitigate cyber security risk. It applies to all company employees, contractors, volunteers, and anyone who has permanent or temporary access to the company’s systems and hardware.
confidential data
Confidential data is valuable and is to be kept secret. Company confidential data includes:
- Unpublished financial information
- Data of customers/partners/vendors
- Patents, formulas or new technologies
- Customer lists (existing and prospective)
All employees are obliged to protect this data.
PROTECT PERSONAL AND COMPANY DEVICES
When employees use their digital devices to access company emails or accounts, they introduce security risk to company data. Employees are to keep both their personal and company-issued computer, tablet and cell phone secure. To keep these devices secure:
- Keep all devices password protected.
- Choose and upgrade a complete antivirus software.
- Do not leave devices exposed or unattended.
- Install security updates of browsers and systems monthly or as soon as updates are available.
- Log into company accounts and systems through secure and private networks only.
Employees are advised to avoid accessing internal systems and accounts from other people’s devices or lending their own devices to others. When new hires receive company-issued equipment, they will receive instructions for:
- Installation of antivirus/anti-malware software
Employees are to follow instructions to protect their devices and refer to the company IT team with any questions.
SAFEKEEPING EMAILS
Emails can host scams and malicious software. To avoid virus infection or data theft, employees must:
- Avoid opening attachments and clicking on links when the content is not adequately explained (e.g. “Watch this video, it’s amazing.”)
- Be suspicious of clickbait titles (e.g. offering prizes, advice).
- Check email and names of people they received a message from to ensure they are legitimate.
- Look for inconsistencies or giveaways (e.g. grammar mistakes, capital letters, an excessive number of exclamation marks).
If an employee isn’t sure that an email they received is safe, they can refer to the company Security Specialists.
MANAGING PASSWORDS
Password leaks are dangerous since they can compromise the company’s entire infrastructure. Not only should passwords be secure so they will not be easily hacked, but they should also remain secret. For this reason, employees are to:
- Choose passwords with at least 12 characters (including capital and lower-case letters, symbols and numbers).
- Make passwords hard to guess, even by those who know a lot about you, such as the names and birthdays of your friends and family, your favourite bands, and phrases you like to use.
- Avoid passwords with information that can be easily guessed (e.g. birthdays).
- Don't reuse your Buildmedia passwords for non-work related purposes.
- Don't use a single word, for example, password, or a commonly used phrase like Iloveyou.
- Don't use a password that is the same or similar to one you use on any other websites.
- Employees are encouraged to use 2FA (two-factor authentication) if it is available.
DATA TRANSFERS
Transferring data introduces a security risk. Employees must:
- Avoid transferring sensitive data (e.g. customer information, employee records) to other devices or accounts unless absolutely necessary.
- Share confidential data over the company network/system and not over public Wi-Fi or private connection.
- Ensure that the recipients of the data are properly authorised people or organisations and have adequate security policies.
- Report scams, privacy breaches and hacking attempts.
- Transferring of any data using company issues external hard drives only. Employees are not permitted to use personal hardware.
IT Admins need to know about scams, breaches and malware so they can better protect our infrastructure. For this reason, we advise our employees to report perceived attacks, suspicious emails or phishing attempts as soon as possible to our Buildmedia's IT Admins, who must investigate promptly, resolve the issue and send a companywide alert when necessary.
IT Admins are responsible for advising employees on how to detect scam emails. We encourage our employees to reach out to them with any questions or concerns.
ADDITIONAL MEASURES
To reduce the likelihood of security breaches, we also instruct our employees to:
- Turn off their screens and lock their devices when leaving their desks.
- Report stolen or damaged equipment as soon as possible to IT Admins.
- Change all account passwords at once when a device is stolen.
- Report a perceived threat or possible security weakness in company systems.
- Refrain from downloading suspicious, unauthorised or illegal software on their company equipment.
- Avoid accessing suspicious websites.
We also expect our employees to comply with our social media and internet usage policy.
IT Admins should:
- Install firewalls, anti malware software and access authentication systems.
- Arrange for security training for all employees.
- Inform employees regularly about new scam emails or viruses and ways to combat them.
- Investigate security breaches thoroughly.
- Follow these policies provisions as other employees do.
Our company will have all physical and digital shields to protect information.
REMOTE EMPLOYEES
Remote employees must follow the Cyber Security Policy. As remote employees will be accessing the company’s accounts and systems from a distance, they are obliged to follow all data encryption, protection standards and settings, and ensure their private network is secure. Remote employees are encouraged to seek advice from company IT Admins.
DISCIPLINARY ACTION
All employees are to always follow this policy, and those who cause security breaches may face disciplinary action:
- First-time, unintentional, small-scale security breach: the company may issue a verbal warning and train the employee on security.
- Intentional, repeated or large-scale breaches (which cause severe financial or other damage): the company will invoke more severe disciplinary action up to and including termination.
Each incident will be examined on a case-by-case basis.
Additionally, employees who are observed to disregard the company’s security instructions will face progressive discipline, even if their behaviour has not resulted in a security break.