How to set an acceptable use policy for newbies to prevent cyberattacks

 閱讀中文版本

Verizon's latest report, which surveyed 856 businesses across Australia, the US and the UK, revealed that while 40% of businesses surveyed recognised that mobile devices are their company’s biggest IT security threat, 45% of them knowingly sacrificed the security of mobile devices to “get the job done” (e.g. meet a deadline or productivity targets) and a quarter (24%) sacrificed the security of mobile devices to facilitate their response to restrictions put in place due to the pandemic.

A hacked system or phishing attack can create havoc and is costly. It can also potentially negatively impact your brand. 

Notably, over half of those surveyed (52%) said that SMEs are more of a target than larger businesses.

Verizon suggested employers and HR to establish their own Acceptable Use Policy (AUP), a set of guidelines for acceptable ways an employee is permitted to use the Internet, a network or a connected device, in a bid to prevent cyber attacks and data breach. Here is a step-by-step guide to starting an AUP:

1. Set the criteria for appropriate and inappropriate websites

When employees visit an inappropriate site, they may be inadvertently putting your organisation at risk. The site may contain malicious content. Adult and gambling sites are common vectors for malware. With an AUP, your employees know what is acceptable. Set and enforce clear policies.

2. Decide what behaviours you want to encourage or discourage

Your AUP should fit your organisation. Social media might be a time waster or an important tool for your sales team. Employees of different ages and culture might consider online shopping, chatting or gaming at work as completely normal. Your AUP should make it clear to employees what’s acceptable and what's not. 

3. Secure all your mobile devices, whether employee owned or corporate owned

In the end, it doesn’t matter who owns a device if an employee uses it for business. Whether you adopt bring your own device, corporate owned but personally enabled or any of the other variations on device ownership and enablement, you need formal policies to govern use. Mobile device management can help you balance usability and control.

4. Promote LTE and limit public or unapproved Wi-Fi use to secure networks

While the potential dangers of public Wi-Fi are well known, just half of companies surveyed have a solution to protect users from a man-in-the-middle attack. This means the more your users travel, the more your organisation may be at risk. LTE access and hotspots can help employees stay connected while helping protect your organisation’s data from public Wi-Fi risks.

5. Curate company-approved apps and limit the rest

It’s almost impossible to know who really coded a mobile game and whether a hacker will be leveling up with your company data. Even mainstream business apps can be compromised. The more apps your employees download, the more avenues attackers have. Limit employees to approved apps whenever possible.

6. Address risks across the mobility ecosystem

Your AUP should cover the many ways a mobile device interfaces with the world. Custom apps are just one potential security risk. Bluetooth connections, public charging cables, SD cards and SIM swapping all carry risks as well. Let employees use what they need to maintain productivity, but use your AUP to open their eyes to the risks around them.

7. Articulate and enforce your patch policy

An out-of-date operating system can harbour dangerous vulnerabilities. And if an OS is out of date, apps are likely even further behind. Design and articulate a patch policy to help plug those holes. If possible, you can implement a policy with unified endpoint management, which can also help you quarantine at-risk devices. Next, be sure to look at your app patch strategy.

8. Flag the risks of working remotely

Give employees guidance on what internet connections are most secure when accessing company data and systems. Help them know the risks of public Wi-Fi, especially when using their mobile devices.

9. Keep your frontline defense up

Having regular training sessions about your AUP and growing risks like phishing will help your workforce stay secure.