Ransomware attacks have increased more than 11 percent in the past 12 months, according to Kaspersky Labs data. The first half of 2017 has already seen two global ransomware attacks, as WannaCry and Petya disrupted operations for businesses, healthcare organizations, government agencies and educational institutions around the world. Even worse, the Petya attacks offered further proof that you can’t trust hackers to restore access to your data after you pay the ransom demand.

Awareness of ransomware and other threats has increased, and organizations are implementing new security tools to beef up their defenses. However, security tools have limited value if there’s no overarching IT strategy to guide their use. Your IT policies create that strategy, but for many small to midsize businesses, IT policies are either out of date or non-existent. This only increases the risk of security breaches and regulatory compliance issues.

There are certain IT policies every business should have. The first is an acceptable use policy, which defines company IT resources and the proper way to access and use them. A security awareness policy educates all users about threats, security training initiatives, and the impact of user activity on security and regulatory compliance.

An information security policy defines the people, processes and technology involved in IT security and lays the foundation for a data risk management program. An incident response plan will define the criteria for a security incident, roles and responsibilities for those involved in responding to an incident, and processes for detecting, reporting, mitigating and analyzing threats.

Incident response planning ties into disaster recovery and business continuity, which help you manage risk in real time in case of a data breach, weather event or some other disaster. It establishes a formal plan for communicating with employees and vendors and restoring critical data and applications with minimal business disruption. A policy governing data backup, retention and destruction will establish guidelines for how frequently information systems are backed up, how long various types of data must be retained, where these information systems and data are stored, and approved methods for disposing of old technology and data.

There should be a change management policy to ensure that changes to IT systems, hardware and software are being properly managed, approved by leadership, and tracked. Because users often work remotely, and outsourced vendors and contractors access the network remotely, there needs to be a policy for remote access. In other words, how must remote users securely access the network, and what type of activity is required and prohibited to minimize risk?

The growth of remote workforces is being driven in large part by the use of employee-owned devices for work purposes, which is why a bring-your-own-device (BYOD) policy must be documented. A BYOD policy clarifies what devices, operating systems and applications are permitted. It also establishes rules for passwords, installing applications, reporting lost or stolen devices, and accessing, sharing and storing data.

In the next post, we’ll discuss the steps involved in developing IT policies, why this process can be rather complicated, and how SSD can help.