California Cyber Security Policy - sample

1. Introduction
1.1 This policy should be read in conjunction with the Organization's other policies.

1.2 If you have any questions regarding these guidelines and how they apply to you, please consult your manager before taking action that may breach them.

2. Implementation
2.1 This policy is intended to be a practical policy for everyday use within and outside the workplace. The measures outlined in this policy will help to protect your devices and data.

2.2 The Organization will provide full training on the use of the measures detailed in this policy and will meet the full costs of implementing and maintaining such measures.

2.3 Once full training has been provided, any failure to follow any implemented measures detailed in this policy may, in serious cases, result in disciplinary action.

3. Physical Security
3.1 All equipment (phones, computers, tablets) should be password protected. Biometric security, whether fingerprint or face recognition, should also be used where possible. All devices should be set to lock after a period of inactivity. This period of inactivity should be set to between two and five minutes, with five minutes being the maximum.

3.2 All devices should be transported in suitable cases or bags.

3.3 Devices should never be left unattended when in a public place or left in a parked vehicle. Care should be taken during airport security checks; your devices should remain in sight wherever possible. Furthermore, you should not leave devices at hotel concierge desks, coat checks, cloakrooms, or anywhere – where another person could claim them accidentally or deliberately.

3.4 In the case of bags, it is recommended that you leave a business card within your bag if you are separated from your bag – this will potentially make reuniting you with your bag easier.

4. Virtual Private Network (VPN)
4.1 Whenever you are away from your office, whether traveling or working from home, you should always use a Virtual Private Network (VPN) to ensure your Internet access and email are secure. A VPN creates a secure private connection when accessing the Internet, email, or other services while using a public network connection, such as a public WIFI connection.

4.2 All employees (and contractors, where applicable) should use a reputable, paid-for VPN service, such as NordVPN. A subscription will be provided to all employees. For contractors, a VPN subscription is a billable expense paid by the Organization for the period the contractor provides services to the Organization.

5. Public WIFI
5.1 All public WIFI connections or WIFI connections provided by another organization can be used but should always be used in conjunction with your VPN.

5.2 Before connecting to a public WIFI, you should always confirm with the location providing the WIFI, the correct WIFI connection to use, and the password. You should not assume that you will be automatically connected to the correct WIFI or that the WIFI appearing in your list of possible connections is the correct one, particularly if the names of the different WIFI connections look similar. This is to ensure that you connect to the correct WIFI and not another posing as the correct connection. This precaution avoids logging into a so-called "evil twin" WIFI connection that a malicious party deliberately sets up to harvest your login details, card details, or any other private information that you may send over a WIFI connection. This attack can also persuade you to download malware, posing as legitimate software, in order for the WIFI connection to work. This scam has previously been used in hotels, train stations, and coffee shops.

6. Software Updates
All your devices should be kept up to date, and updates and upgrades should be automatic.

7. Passwords
7.1 All passwords (where possible) should be a mixture of letters, numbers, and special characters (&%$! etc.) and a minimum of eight characters.

7.2 Passwords should never contain a place name, first name, last name, team name, or a word from the dictionary as these are easily guessed or subject to so-called "dictionary attacks". Also, do not attempt to obfuscate such a word by trivial means; for example, "Kalamaz00" or "$mith" these too can be easily guessed.

7.3 Passwords should never be reused; you should have a unique password for each service you access.

7.4 Passwords should be changed regularly, and previous passwords should not be reused.

7.5 If you are instructed to update your password to access a service or system the Organization uses, you must do so immediately.

7.6 Use a password manager such as LastPass, Bitwarden, or 1Password. Where a paid-for version of these products is required, it will be provided to all employees. For contractors, a paid-for password manager is a billable expense paid for by the Organization for the time that the contractor provides services to the Organization.

8. Two-Factor Authentication (2FA)
It should be implemented where any service allows for using Two-Factor Authentication (2FA). For example, 2FA can be used in conjunction with Password Managers, as detailed in clause 7 above. Popular 2FA services include Google Authenticator and Microsoft Authenticator.

9. Sim Card Security
All mobile phone sim cards should be secured with a 4-digit pin. This pin should be changed from the default pin provided by the network provider or set to your own pin at the time of purchase.

10. Organization Devices
10.1 When working from home or outside work hours, do not allow your work devices, computers, phones, etc., to be used by other people, including family members, as this could lead to unwanted downloads or malware being downloaded unwittingly by other users.

10.2 Using your devices for personal use and tasks during work hours and outside work hours is perfectly acceptable as long as you remain the sole user and employ the same basic security measures for personal use as you would for work.

11 Social Media
11.1 Social media sites and apps are an easy source of free information that hackers and scammers can use. You are not paid to use social media, and the social benefits of doing so are questionable.

11.2 Do not provide personal information that could be used to build up a data profile of you or information that could be requested as standard security questions. For example, do not disclose your birthday – trust us, the people who need to remember – will remember. Likewise, do not disclose your place of birth, mother's maiden name, first school, favorite author, band, football team, vehicle license plate, etc.

11.3 Do not use your pet's name or a variation of it.

11.4 Only provide limited information for any social media service and do not provide different sets of information on each service, as this helps build a fuller picture of you.

11.5 Be careful with pictures, too. For example, a common weakness is to provide a photo of your car, complete with the license plate, and then use your license plate as a password.

11.6 Do not post photos of you away on a break, conference, or holiday while you are away. Instead, wait and post once you have returned.

12. Voice Cloning
12.1 Artificial Intelligence (AI) tools exist to clone voices, and voice cloning services exist on the dark web. Therefore, there is a risk that your voice (or the voice of a colleague) could be cloned from a conversation or phone call that has been recorded.

12.2 A cloned voice could engage you in a conversation and ask for items such as login details, financial access details, and two-factor authentication codes or simply request payments to be made, either to the "colleague" or a third party. A cloned voice could also request changes to existing financial records and divert payments to a third party.

12.3 It is important to remember that a bad actor may use voice cloning over a period of time to request seemingly innocuous information to build up a picture of the Organization's personnel and/or processes.

12.4 To counter this threat, colleagues should:

12.4.1 Avoid providing sensitive information over the phone, even when using an internal phone system.

12.4.2 If you regularly communicate potentially sensitive details by phone, you should agree on a password to be used before exchanging such details.

12.4.3 The password should only be agreed upon in person face-to-face and should likewise only be updated in person.

12.4.4 The password should not be an existing password or easily guessed. It should also not be easily cross-referenced. For example, if you are a sports fan, do not use the name of your favorite team, as this information may already be readily available via any social media posts made by you.

13. Known Threat Methods & Scenarios
The following is a list of practical examples of common threats; hackers and scammers use these threat methods daily. Not listed in any particular order:

Email phishing
Attempts to obtain sensitive login information and/or bank or card details, usually by informing you that your account has been locked, or there has been suspicious activity on your account, or even that you have won something, such as an Amazon gift card, etc.

Spear phishing
These are the same as general email phishing but provide some basic information about you to make the email look legitimate. For example, addressing you by your first name or full name. Or where they have access to some recent contact data or other information. For example, a spear-phishing email posing as a bank asking to confirm recent account changes. This indicates that scammers can have knowledge of previous contacts, probably from a source within the bank call center. This was a particularly sophisticated attack.

Emergency emails
These tend to be bogus emergency requests to update an account. The "emergency" is designed to pressure you to act. These frequently pose as coming from a senior manager or director and may include their name and sometimes an email address that looks almost identical to their legitimate email address. This sort of information can be obtained through sites such as LinkedIn.

Emergency holiday emails
These are the same as above, but take advantage of the fact that many people, including senior managers, are away on holiday, for example, during August. In addition, these emails can include the name of a director or senior manager requesting an emergency payment as stranded without money or have been in an accident. The names of directors or senior managers can be easily obtained via LinkedIn or other sources.

Holidays and Friday emails & attacks
Timing is frequently crucial in these attacks. For example, requesting emergency payment or changing existing payment details on a Friday afternoon when senior people may be away, and more junior staff are working. This can add to the time pressure, where staff is keen to sort a problem out before leaving work. In these situations, the mistake is frequently not noticed until Monday morning. Christmas (and other holiday) attacks work in a similar way; more junior staff may be in the office before or during holidays. Common attacks during this period are bogus "software updates", which can compromise computers, servers, and software.

IRS or Gov emails
A common email scam is an IRS tax refund that requests bank details to process the refund. These are particularly popular just after the end of the tax year.

Compromised email accounts – Business Email Compromise (BEC)
Existing email accounts are also frequently targeted, with hackers or scammers attempting to gain access to personal and work emails. They will look for transactions, invoices, and payment emails if access is gained. They will then fake an email address from which you have previously received legitimate emails. The faked email address and email will be used to email you and notify you of "updated" bank or payment details for future transactions. The aim is to get you to send payments directly to a bank account they control. This is a very effective scam because the scam email appears to come from an existing contact with knowledge of previous emails and transactions. To counter this threat, whenever a change of payment details is received, it must always be confirmed by phone with the other party that you know. Therefore, you should always use the existing phone number on file, not the phone number provided in any request email. However, the best way to counter such an attack is to use a strong password for your email account and regularly update it; this will help prevent your email account from being compromised.

Voice cloning – see above for further details.

The above are real-life examples of possible scams. However, it is important to note that scams change frequently and are often linked to current events.

14. Duty to Report
Any suspected or known breaches of this policy must be reported to your manager immediately. Any failure to do so will constitute a disciplinary offense. In the most serious cases, a failure to report a suspected or known breach may constitute gross misconduct.

15. Date of Implementation
This policy is effective from [insert date] and shall not apply to any actions that occurred prior to this date.

16. Questions
Please consult your manager if you have any questions regarding this policy document and how it applies to you.

17. Alteration of this Policy
This policy will be subject to review, revision, change, updating, alteration, and replacement to introduce new policies from time to time to reflect the Organization's changing needs or to comply with any applicable state or federal laws.

18. Governing Law
This Agreement shall be construed in accordance with and governed by the laws of the state of California.

(c) CompactLaw / all rights reserved / version 30