Businesses are often criticized for not having strict policies for information security. However, this criticism is not inaccurate. Important information security practices are often overlooked despite all the major hacks\u00a0discovered in recent years. It is unfortunate that preventive measures are often adopted only after a crippling incident.\nIt is not only the hacks that threaten businesses throughout the world. Self-propagating malware is perhaps an even greater threat. The release of Eternalblue and Doublepulsar exploits from the NSA hacking toolset led to the worldwide Wannacry malware attack\u00a0that took down several businesses. With an online presence becoming a\u00a0necessity\u00a0for even small businesses, malware creators have even greater incentives to launch attacks. As a result, businesses need to look into tightening their security policies before it is too late. With that in mind, let\u2019s examine some important policies that businesses need to take into consideration in this regard.\nAccess control policy\nAccess control management is one of the most important policies that every business should implement. Knowing who should have access to what comes under this policy. This becomes even more important because the \u2018human element\u2019 is often from where the breaches occur. Social engineering is one of the biggest menaces businesses face today. Role-based access control\u00a0is often employed in enterprises where various roles are required to have access to only the functionality that is relevant to their job.\nAnother important policy is single sign-on (SSO), which enables an employee to access all of their accounts (even third-party accounts) using only one username and password or key pair. This enables the system administrator to not expose direct credentials to systems\u00a0and makes it possible to rotate passwords and keys periodically without depending upon the employees to do it themselves. Third-party authentication via SSO ensures that the credentials stay within the premises of the business. SSO is usually implemented using LDAP, but other authentication schemes like OAuth and OpenID Connect are also gaining ground.\nTwo-factor authentication policy\nIllegal account access can almost be mitigated if all accounts are secured with two-factor authentication. It is important to note that SMS (text messaging) has been shown to be insecure\u00a0in many cases. TOTP\u00a0and HOTP\u00a0are better alternatives for OTP-based two-factor authentication systems. Several applications that implement these schemes are available in the market. Another way to enable two-factor\u00a0authentication is by using physical key cards like Yubikey,\u00a0which can be programmed to enable various authentication schemes. Even internal email-based two-factor\u00a0authentication is much better than not having any at all.\nPeriodic backups policy\nWannacry encrypted all the data on infected machines and deleted the key. Some security researchers managed to reconstruct the deleted key from memory,\u00a0but this solution only works on older versions of Windows and even then not very often. For the ones who created periodic backups of their data, it was merely an inconvenience. But for others, it meant saying goodbye to that data forever. This is why automated, redundant, and periodic backups of all important documents and databases are a must. It is fairly easy to create backups to cheap cloud storage like Amazon S3.\nPeriodic security audit policy\nFor large businesses, it is advisable to have an in-house team that works only on security audits of all the systems. For smaller businesses, there are external auditors available for hire.\nOn-premises installation policy\nVarious external systems provide licenses for on-premises installation of their products. Enterprises are often particularly interested in this kind of arrangement because they don\u2019t want their data to leave their territory. On-premises installations are not suitable for all businesses, especially the ones that operate on a small scale, because of the overhead of maintenance involved. It should only be considered when the system has critical information.\nAutomated updates policy\nMicrosoft released a security patch a few days before Wannacry started spreading. Those who applied that patch were not affected by the malware. Automated updates are an important step in that regard. It does not mean that the sysadmin needs to install all the available updates, just that they can install any updates on all the systems at once without having to manually configure anything. Tools like Puppet and Chef have provisions for rolling out such automated updates.\nIncident reports policy\nIncident reports come to the rescue in disaster management. Each business should make detailed policies about writing incident reports so that employees know how to handle a particular situation if it arises ever again. Over the course of time, a valuable repository of information builds up.\nBug bounty program policy\nBug bounty programs are a win-win for everyone. They allow a business to use the expertise of outsiders to point out flaws in their applications and also give an incentive to security researchers to hunt bugs. Several companies run bug bounty programs that include monetary prizes. Each business should have a bug bounty program policy and a responsible disclosure guideline for security researchers. This has been made even easier by platforms like Hackerone that bring both sides together.\nNeglecting information security today is akin to keeping your data out in the open. If you are not actively protecting it, someone will somehow get access to it. It is safe to assume that businesses are under attack from malicious actors at all times today. It is up to them how they mitigate these attacks.