How to Create a Cyber Security Policy for Your Business

Whether you are a new start-up, an existing small or medium size business or a large corporation, dealing with cyber security risks is vital in the modern commercial environment.

According to the Government’s Cyber Security Breaches Survey 2019:

  • Nearly a third of businesses have identified cyber security breaches or attacks in the last 12 months.
  • This resulted in a negative outcome, such as a loss of data or assets, in 30% of cases.
  • Only 33% of companies have a cyber security policy in place.

This last statistic is astounding when you consider the threat from cyber criminals that we face at the moment. While a cyber security policy can’t fully guarantee you won’t become a victim of cybercrime, it greatly improves your chances of avoiding a breach and gives you the tools to respond if one does occur.

What is a Cyber Security Policy?

All businesses have certain assets, including data and software, that they need to protect. A cyber security policy is a formal document that can be used by a whole range of stakeholders to understand their responsibilities and what measures are in place to protect the technology and assets of the business.

Most importantly, it is not a document that is set in stone. It needs to be reviewed regularly and updated to respond to current and future cyber security threats.

Who Should Be Involved in Creating Your Cyber Security Policy?

A cyber security policy is not simply put together by your IT service provider. It involves input from a wide range of individuals. That includes management and leaders within your organisation, HR departments that may need to enforce dissemination of the policy to employees, and even a legal team who may need to input on the wording of the document.

Main Elements of a Cyber Security Policy

The core part of your cyber security policy should outline the risks that your business faces and why the measures you are taking are important. It should also outline who is accountable for implementing the policy and the processes that need to be followed in respect of a breach, including following current GDPR guidelines.

Obviously, the complexity of the cyber security policy will depend on the size of the business and the number of different departments that may be affected.

From the perspective of employees, providing guidelines on the daily use of technology within the business is also important. It should include guidance on:

  • Password control: including how to store passwords, how to create robust passwords and how often these must be updated.
  • Email protocol: including how to spot potential phishing emails, not opening links or attachments from dubious sources, deleting suspicious communications and methods for blocking spam, scam or junk emails.
  • Dealing with sensitive data: including how data such as customer details are stored, how they are used and who has access to them, as well as measures for deleting data that is no longer needed or legally required.
  • Using removable devices: including the safe use of USB/flash sticks and preventing malware attacks by scanning before opening removable devices.
  • Using technology and hardware: including using BYOD and accessing hardware such as laptops outside of the business environment.
  • Social media and accessing the internet: including protocols for what is appropriate information about the business to share on social media and guidelines on which sites are allowed to be accessed during work hours.
  • Managing cyber security breaches: including who takes the lead and has responsibility, who needs to be informed, and what action must be taken.

The last point is an important one for all businesses nowadays, especially in light of the introduction of the General Data Protection Regulation in 2018. Businesses that don’t have the appropriate measures in place and fail to follow the current guidelines not only face damaging their own reputation they can be liable for huge fines or prosecution.

Auditing Your Cyber Security Policy

As we said at the beginning, your cyber security policy should be a live document that is regularly updated. There should be regular times where the policy is reviewed and assessed in line with current business goals and cyber security threats. This should include:

  • How the current cyber security policy is working in the real world.
  • The exposure of your business to both internal and external threats.

Using Your Cyber Security Policy Properly

It happens in a number of businesses that the cyber security policy is developed and covers all the bases required. Unfortunately, it is not disseminated properly to those who need to know. If you have a policy that is stuck on the equivalent of a shelf gathering dust, it’s not going to be much use.

Included in the policy and implemented by your business in the real world is how this information is going to be conveyed to relevant stakeholders, including employees. That can involve, for example, training new and existing staff to spot phishing emails, regularly updating the current security threats facing the business and ensuring that robust passwords are used for accessing data and software.

How Cyan Solutions Can Help

There’s no doubt that cyber security is a serious concern for businesses across the UK, whatever their size. It’s also a huge challenge to get all the pieces in place that deliver the protection individual businesses are looking for.

Creating a cyber security policy is a vital process in setting up the infrastructure to keep your business safe online. You cannot entirely trust, for example, that all your employees will follow the right protocols all the time. But you at least need to have a formal document that outlines and reinforces what their responsibilities are.

At Cyan Solutions, we’ve got a great track record of helping small and medium-size businesses put the right cyber security measures in place. We can work with you to develop a strong cyber security policy document that will act as a protective umbrella for your business. We can also help audit and review any policy that you may already have in place to ensure that it is fit for purpose. Contact our expert team today to find out more.

Recommended Posts