Executive Summary

Our company Cybersecurity Policy outlines our guidelines and provisions for preserving the security of our data and technology infrastructure.

The more we rely on technology to collect, store and manage information, the more vulnerable we become to severe security breaches. Human errors, hacker attacks and system malfunctions could cause great financial damage and may jeopardize our company’s reputation.

For this reason, we have implemented a number of security measures. We have also prepared instructions that may help mitigate security risks. We have outlined both provisions in this policy.

Scope
This policy applies to all our employees, contractors and partners who have permanent or temporary access to our systems and hardware.

Confidential Data

Confidential data is secret and valuable.

Common examples are:

  • Data from our customers
  • Customer lists (existing and prospective)

All employees are obliged to protect this data. In this policy, we will give our employees instructions on how to avoid security breaches.

Please review the Security Overview article to understand how data is classified.

Protect personal and company devices

When employees use their digital devices to access company emails or accounts, they introduce security risk to our data. We advise our employees to keep both their personal and company-issued computers, tablets and cell phones secure.

Our Information Security Training covers topics to help keep devices protected.

When new hires receive company-issued equipment they will receive instructions to work with our IT department if they have any cyber security questions.

Keep emails safe
Emails often host scams and malicious software (e.g. worms.) To avoid virus infection or data theft, we instruct employees to:

  • Avoid opening attachments and clicking on links when the content is not adequately explained (e.g. “watch this video, it’s amazing.”)
  • Be suspicious of clickbait titles (e.g. offering prizes, advice.)
  • Check email and names of people they received a message from to ensure they are legitimate.
  • Look for inconsistencies or give-aways (e.g. grammar mistakes, capital letters, excessive number of exclamation marks.)
  • If an employee isn’t sure that an email they received is safe, they can refer to our IT department

Manage passwords properly

Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure so they won’t be easily hacked, but they should also remain secret. For this reason, we advice our employees to carefully review the following Password Management article.

Transfer data securely

Transferring data introduces security risk. Employees must:

  • Avoid transferring sensitive data (e.g. customer information, employee records) to other devices or accounts unless absolutely necessary. When mass transfer of such data is needed, we request employees to ask our IT Department for help.
  • Share confidential data over the company network/ system and not over public Wi-Fi or private connection.
  • Ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies.
  • Report scams, privacy breaches and hacking attempts. Our IT Departments needs to know about scams, breaches and malware so they can better protect our infrastructure. For this reason, we advise our employees to report perceived attacks, suspicious emails or phishing attempts as soon as possible to our specialists. Our IT Department must investigate promptly, resolve the issue and send a company-wide alert when necessary. Our Security Specialists are responsible for advising employees on how to detect scam emails. We encourage our employees to reach out to them with any questions or concerns.

Remote employees
Remote employees must follow this policy’s instructions too. Since they will be accessing our company’s accounts and systems from a distance, they are obliged to follow all data encryption, protection standards and settings, and ensure their private network is secure.

Disciplinary Action
We expect all our employees to always follow this policy and those who cause security breaches may face disciplinary action:

  • First-time, unintentional, small-scale security breach: We may issue a verbal warning and train the employee on security.
  • Intentional, repeated or large-scale breaches (which cause severe financial or other damage): We will invoke more severe disciplinary action up to and including termination.
  • We will examine each incident on a case-by-case basis.
  • Additionally, employees who are observed to disregard our security instructions will face progressive discipline, even if their behavior hasn’t resulted in a security breach.

Modern Technology

All employees and contractors must use approved (i.e., modern) operating systems and hardware to avoid exposing company assets to security vulnerabilities.

Take security seriously
Everyone, from our customers and partners to our employees and contractors, should feel that their data is safe. The only way to gain their trust is to proactively protect our systems and databases. We can all contribute to this by being vigilant and keeping cyber security top of mind.

Cybersecurity Program Overview

For our cloud products, we require our hosting partners to follow industry standard practices. Our IT Department is responsible for our internal Cybersecurity program.

Key responsibilities include:

  • Ongoing information Security training for employees, contractors and partners
  • Monitor reliable sources for emerging cybersecurity threats
  • Follow Incident Management Procedures as necessary
  • Work with our hosting partners to proactively protect of our systems from cyber threats
  • Set and implement user access controls and identity and access management systems
  • Monitor network and application performance to identify and irregular activity
  • Perform regular audits to ensure security practices are compliant
  • Deploy endpoint detection and prevention tools to thwart malicious hacks
  • Set up patch management systems to update applications automatically
  • Implement comprehensive vulnerability management systems across all assets on-premises and in the cloud
  • Work with IT operations to set up a shared disaster recovery/business continuity plan
  • Work with HR and/or team leads to educate employees on how to identify suspicious activity

Revision 1.0.1 - last updated December 4, 2019