CYBER SECURITY POLICY

1. Introduction
1.1 This policy is intended to be a practical policy for everyday use within
and outside the workplace. The measures outlined in this policy will help
to protect your devices and data. 

1.2 This policy should be read in conjunction with the Organization's Data
Protection and Communications Policies. Where a conflict arises between
this policy and the policies mentioned above – the policies above will
prevail.

1.3 If you have any questions regarding these guidelines and how they
apply to you, please consult the relevant manager before taking action
that may breach this policy.

2. Implementation
2.1 The Organization will provide full training on the use of the measures
detailed in this policy and will meet the full costs of implementing and
maintaining such measures.
 
2.2 Once full training has been provided, any failure to follow any
implemented measures detailed in this policy may, in serious cases, result
in disciplinary action.

3. Physical Security
3.1 All equipment (phones, computers, tablets) should be password
protected. Where possible biometric security should also be used, whether
fingerprint or face recognition. All devices should be set to lock after a
period of inactivity. This period of inactivity should be set to between two
and five minutes, with five minutes being the maximum.

3.2 All devices should be transported in suitable cases or bags.

3.3 Devices should never be left unattended when in a public place or left

in a parked vehicle. Care should be taken during airport security checks;
your devices should remain in your sight wherever possible. Furthermore,
you should not leave devices at hotel concierge desks, coat checks,
cloakrooms, or anywhere – where they could be claimed accidentally or
deliberately by a third party.
3.4 In the case of bags, it is recommended that you leave a business card
within your bag. If you are separated from your bag, this will make
reuniting you with your bag potentially easier.

4. Virtual Private Network (VPN)

4.1 Whenever away from your office, whether traveling or working from
home, you should always use a Virtual Private Network (VPN) to ensure
that your Internet access and email are secure. A VPN creates a secure
private connection when accessing the Internet, email, or other services
while using a public network connection, such as a public WIFI
connection.

4.2 All employees (and contractors, where applicable) should use a

reputable, paid-for VPN service, such as NordVPN. A subscription will be
provided to all employees. For contractors, a VPN subscription is a billable
expense paid for by the Organization for the period that the contractor
provides services to the Organization.

5. Public WIFI
5.1 All public WIFI connections or WIFI connections provided by another
organization can be used but should always be used with your VPN.

5.2 Before connecting to a public WIFI, you should always confirm with

the location providing the WIFI, the correct WIFI connection to use, and
the password. You should not assume that you will be automatically
connected to the correct WIFI or that the WIFI appearing in your list of
possible connections is the correct one, particularly if the names of the
different WIFI connections look similar. This is to ensure that you connect
to the correct WIFI and not another posing as the correct connection. This
precaution is to avoid logging into a so-called "evil twin" WIFI connection
that is deliberately set up by a malicious party to harvest your login
details, card details, or any other private information that you may send
over a WIFI connection. This type of attack can also be used to persuade
you to download malware, posing as legitimate software for the WIFI
connection to work.

6. Software Updates
All of your devices should be kept up to date, and updates and upgrades
should be set to automatic.
7. Passwords
7.1 All passwords (where possible) should be a mixture of letters,
numbers, and special characters (&%$! etc.) and should be a minimum of
eight characters.

7.2 Passwords should never contain a place name, first name, last name,
team name, or a word from the dictionary as these are easily guessed or
subject to so-called "dictionary attacks". Also, do not attempt to obfuscate
such a word by trivial means; for example, "newy0rk" or "$mith" these
too can be easily guessed.

7.3 Passwords should never be reused; you should have a unique

password for each service you access. 

7.4 Passwords should be changed regularly, and previous passwords

should not be reused.

7.5 Use a password manager such as LastPass, Bitwarden, or 1Password.

Where a paid-for version of these products is required, it will be provided
to all employees. For contractors, a paid-for password manager is a
billable expense paid for by the Organization for the period that the
contractor provides services to the Organization.

8. Two-Factor Authentication (2FA)

Where any service allows for the use of Two-Factor Authentication (2FA),
it should be implemented. 2FA can be used in conjunction with Password
Managers, as detailed in clause 7 above. Popular 2FA services include
Google Authenticator and Microsoft Authenticator.

9. Sim Card Security

All cell phone sim cards should be secured with a 4-digit pin. This pin
should be changed from the default pin provided by the network provider
or set to your own pin at the time of purchase.

10. Organization Devices

10.1 When working from home or outside work hours, do not allow your
work devices, computers, phones, etc., to be used by other people,
including family members, as this could lead to unwanted downloads or
malware being downloaded unwittingly by other users.
10.2 Using your devices for personal use and tasks during work hours
and outside work hours is perfectly acceptable, as long as you remain the
sole user and employ the same basic security measures for personal use
as you would for work.

11 Social Media 
11.1 Social media sites and apps are an easy source of free information
that hackers can use. You are not paid to use social media, and the social
benefits of doing so are questionable. 

11.2 Do not provide personal information that could be used to build up a

picture of you or information that could be requested as standard security
questions. For example, do not disclose your birthday – trust us, the
people who need to remember – will remember. Likewise, do not disclose
your place of birth, mother's maiden name, your first school, your favorite
author, band, football team, etc.

11.3 Do not use your pet's name.

11.4 Only provide limited information for any social media service and do
not provide different sets of information on each service, as this helps
build a fuller picture of you.

11.5 Be careful of pictures too. For example, a common weakness is to

provide a photo of your car, complete with the license plate, and then use
your license plate as a password.

11.6 Do not post photos of you away on a break, conference, or holiday

while you are away. Instead, wait and post once you have returned.

12. Known Threat Methods & Scenarios

The following is a list of practical examples of common threats, not listed
in any particular order:

Email phishing
Attempts to obtain sensitive login information and/or bank or card details,
usually by informing you that your account has been locked, or there has
been suspicious activity on your account, or even that you have won
something, such as an Amazon gift card, etc.
Spear phishing
These are the same as general email phishing but provide some basic
information about you to make the email look legitimate. For example,
addressing you by your first name or full name. Or where they have
access to some recent contact data or other information. For example, a
spear-phishing email posing as a bank asking to confirm recent account
changes. This indicates that scammers can have knowledge of previous
contacts, probably from a source within the bank call center. This was a
particularly sophisticated attack.

Emergency emails
These tend to be bogus emergency requests to update an account. The
"emergency" is designed to pressure you to act. These frequently pose as
coming from a senior manager or director within the Organization and
may include their name and sometimes an email address that looks
almost identical to their legitimate email address. This sort of information
can be obtained through sites such as LinkedIn.

Emergency holiday emails

These are the same as above, but take advantage of the fact that many
people, including senior managers, are away on holiday, so for example,
during August. In addition, these emails can include the name of a
director or senior manager requesting an emergency payment as
stranded without money or has been in an accident. The names of
directors or senior managers can be easily obtained via LinkedIn.

Christmas and Friday emails & attacks

Timing is frequently crucial in these attacks. For example, requesting
emergency payment or changing existing payment details on a Friday
afternoon, when senior people may be away and more junior staff are
working. This can add to the time pressure, and staff are keen to sort a
problem out before leaving work. In these situations, the mistake is
frequently not noticed until Monday morning. Christmas attacks work
similarly; more junior staff may in the office between Christmas and New
Year. Common attacks during this period are bogus "software updates",
which can compromise computers, servers, and the software on them.

IRS or other official emails

A common email scam is an IRS tax refund that requests bank details to
process the refund. These are particularly popular just after the end of the
tax year. 
Microsoft "calls"
Microsoft does not call you to notify you of software updates; this is a
scam to get you to download and install malware. Frequently the malware
encrypts your hard drive, and then the scammers request a ransom to
provide the code to decrypt the drive.

Compromised email accounts – Business Email Compromise (BEC)

Existing email accounts are also frequently targeted, with hackers or
scammers attempting to access personal and work emails. If access is
gained, they will look for transactions, invoices, and payment emails.
They will then fake an email address from which you have previously
received legitimate emails. The faked email address and email will be
used to email you, notify you of "updated" bank or payment details for
future transactions. The aim of this is to get you to send payments
directly to a bank account they control. This is a very effective scam
because the scam email appears to come from an existing contact with
knowledge of previous emails and transactions. To counter this threat,
whenever a change of payment details is received, it must always be
confirmed by phone with the other party you know. Therefore, you should
always use the existing phone number on file, not a phone number
provided in any request email. However, the best way to counter such an
attack is to use a strong password for your email account and update it
regularly; this will help prevent your email account from being
compromised.

The above are real-life examples of possible scams. However, it is

important to note that scams change frequently and are often linked to
current events, such as Covid-19 and assistance and payments related to
Covid-19.

13. Date of Implementation

This policy is effective from [Insert date] and shall not apply to any
actions that occurred prior to this date.

14. Questions
If you have any questions regarding this policy document and how it
applies to you, please consult [Insert manager's name].
15. Alteration of this Policy
This policy will be subject to review, revision, change, updating,
alteration, and replacement to introduce new policies from time to time to
reflect the changing needs of the business or to comply with new laws or
changes to existing laws. Any alterations will be communicated to you by
the manager named above.

(c) CompactLaw / all rights reserved / version 24.0