If your business has employees, volunteers, or consultants who use portable wireless devices onsite and offsite, you should address IT security and privacy with an Action Plan, which is Step 3 of our 3-part series. Your Action Plan will include policies, tools, training, and other ways to improve your security.
The Back Story
We’re leading you through a simplified version of risk assessment and remediation, specifically focusing on portable wireless devices. Step 1 was an Inventory that shows which wireless devices and apps people are using to handle information for your business. Step 2 was an Assessment that explored which types of data must be protected, what consequences you risk if it’s unprotected, and how much risk your company can tolerate.
Step 3: Action Plan
Your Action Plan will be based on the amount of improvement you need to make in order to reduce your security risk to a tolerable level. (Refer back to Part 2 for more details.)
Below are several areas your team will probably need to address — by means of policies, and in some cases by making changes to your network and router configuration. Keep in mind, how you approach this will depend a great deal on how secure you need to be, and whether the wireless device belongs to the company or the individual. Whatever you decide will be recorded in a policy, and your people should be trained on this policy.
You’ll find a link to a sample policies document at the end of this article. To fully understand your company’s risks and possible solutions, you would do well to engage the help of an IT security professional during this process and when designing or implementing changes to your network.
Onsite WiFi Access
If your facility offers wifi access, you should make sure your router provides a separate signal that is used by guests. If staff do not use their personal devices to do any work for you, then consider having them use the guest network only.
You should also have your router examined by an IT security pro to make sure you have up-to-date firmware and appropriate security settings.
Offsite WiFi access
If you determined in Step 2 that your people are dealing with any sensitive company information when using their portable devices with offsite wifi, your policy should provide guidance on this. There is no one right policy; you will determine what’s right for your business. Here are some examples of where you might land on this issue:
– You might decide your people must do business on passworded wifi only; no one is to check work email accounts or do any other business when connected to an unsecured public wifi signal.
-You might decide that no company business is to be conducted on any portable devices onsite or offsite.
You might decide that any wireless devices must be those provided and configured by the company, not the individual.
-You might decide that company business may be done on any device, but must be conducted on a hard-wired or cell data connection.
All devices should have screen lock enabled and have access protection. Your policy may specify what time-out period is required and what unlocking methods are acceptable (for example, passcode, fingerprint, or pattern entry).
You could require that all portable devices be encrypted if they will be used for work tasks, or that certain folders be encrypted.
Create a policy and train your people to (1) create good passwords, (2) avoid using the same password for multiple devices or applications, and (3) and never share passwords. You may need to purchase additional software licenses to enable each user to have their own login credentials.
Provide guidance on saving login credentials on devices. For instance, you might prohibit your people from saving work-related passwords on smartphones, but allow them to do it on their desktop PC.
Keeping track of passwords is a pain for everyone. Decide on the acceptable methods for managing passwords that relate to your business, and provide the tool or training as needed.
Loss or Theft
If your people are following policies that specify good password protection as well as device encryption, then the loss or theft of a device will incur minimal risk. However, employees should still report the loss or theft of any device that contains sensitive data. Assign a point person for IT security and breach reporting, and include this in your procedures.
If one of your people sells or gifts their device to someone else, it must be cleaned of all company data (including saved login credentials). You may wish to provide instructions or assistance for this.
You’ll need to provide training for some of these areas. Help your people understand their responsibilities and how to carry them out. Explain how their actions directly affect risk to the business. Determine how you will get new personnel trained as they arrive.
You’ll be depending on your personnel to adhere to the policies and procedures you create. Motivate them by illustrating the risks through examples and stories in your training sessions. Help them understand that a threat to the IT security of your organization could be a threat to everyone who works there, and everyone served by your business. The risks include breach of privacy, identity theft, and in severe cases, threats to the very existence of the organization.
One size does not fit all
The examples above are not exhaustive. The policy or procedure that works for another organization might not work for yours. Your policy, procedures, and actions depend on a host of factors, and only you can do the work to reduce your risk. We recommend that you engage the services of an IT security consultant during this part of your process.
When your Action Plan is ready
You can see how each of the policy topics above will lead to certain actions, such as providing a tool for your staff or making sure people follow a procedure. Once your policies are written in final form, it’s time to introduce them to your personnel. Provide training with time for Q&A, make sure they understand everything, and then have them sign to affirm that they will comply.
Please note, your policy and procedures will need adjustment over time to stay relevant to your current technology, personnel, and business activities. So the last tip we offer is to periodically review and update your policy, procedures, and training. Make it part of someone’s job description to attend to this.
Your Action Plan includes creating the necessary policies and procedures to reduce your risk, identifying a point person, training your people, and making changes to your network or equipment if needed. Now run with it! And if you need help to make it all work, feel free to contact us.