April 2018
MiMfg Magazine
Reduce Risk with a Cyber Security Policy
By Hal Ostrow • Rhoades McKee PC
As cyber attacks become increasingly common,
businesses are confronting risks previously only seen
in works of fiction. Cybercriminals steal users’
identities, make fraudulent purchases, and disrupt
everything from travel to essential emergency services.
With this in mind, New York recently became
the first state to impose minimum cyber security
standards on financial services companies. While
these regulations are only binding on specific
entities transacting business in New York, the
policies those companies are adopting in response to
the regulations offer valuable guidance to similar
businesses throughout the country.
Before creating policies to address cyber security,
a business should assess what its risks are by
answering — at a minimum — the following:
“
• Who can access the company’s network? While policies themselves cannot protect
your data from a cyber attack, making sure
your users and your information technology
vendors follow some common-sense
safeguards can greatly decrease the
likelihood that your network will be
breached and both your valuable data and
your customers’ or clients’ confidential
information will be jeopardized.
• Are all portions of the network accessible by
all employees and contractors? • How and over what network(s) users may
remotely access company data and networks?
• How are users authenticated? • What are the rules governing mobile
device management?
• What data does it store, and where?
• Does it store the data itself, or does it rely
on a third party to do so?
• If data is stored offsite, who can access it —
both to and from its storage facility, and
within the storage facility?
• Is the network monitored for vulnerabilities
and, if so, how?
Depending on the answer to those questions,
companies should implement policies to address not
only internal hardware and data access and storage,
but also for contracting with third parties who come
into contact with the business’s hardware and data.
Some issues these policies may address includ