1CYBERSECURITY BEST PRACTICESFOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES1. ASK QUESTIONSCybersecurity is the responsibility of every employee; however, there are basic questions to which executives and employees should know the answers. For example:• Who in my organization is responsible for cybersecurity?• What are the rules that govern my use of company resources (computers, smartphones, tablets)? How can I be kept aware of updates to these rules?• If I suspect I have a cybersecurity issue (malware, spyware), who should I contact within my organization? • Does my organization have a policy on bringing personal devices into the workplace?• What am I allowed to connect to my company’s system and could my device infect the system?There are any number of questions a company may wish to add to this list. Additional ideas can be found by using the resources mentioned in or attached to these best practices.2. FOCUS ON HUMAN CAPITALWhen thinking about cybersecurity, the instinct is to focus on computers and keyboards, networks and servers. However, one of the biggest immediate cyber risks to most utilities comes from employees and vendors. It has been reported that one in five employees will click on a “bad” link. Robust security systems can be compromised by an employee clicking a link in a phishing email or accidentally installing malicious pieces of software on a computer. Human error remains a point of vulnerability and one that companies should address.
2• Train and test staff regularly and repeatedly so that they understand and fully appreciate their role in maintaining a cyber safe work environment. • Institute strong security rules for vendor access to systems, facilities and equipment.• Develop strong policies concerning employee access to sensitive information especially at separation of employment. 3. COVER SOME OF THE BASICSThere are some basic rules all companies should follow in practicing good cybersecurity. • Every user should have their own account with particular rights and restrictions. These rights should be limited to what the employee needs to perform their job duties. • Users should have strong passwords requirements and should be prompted to update those passwords at regular intervals. • Employees’ cybersecurity responsibilities should be clearly identified in job descriptions, policy statements, or other company documents (like procedures manuals). Companies should update their employees’ and contractors’ security credentials as they move through the organization. Often, employees will still have access to systems despite moving to new