Cyber Security Policy - Why Every Business Should Have One

A cyber security policy establishes the rules of engagement for protecting your business online.

It includes simple security controls with regard to staff use of your network and the operation of devices and systems used by your business.

Why is a Cyber Security Policy Important?

Businesses that do not have a policy in place can be leaving themselves exposed, both to external threats but also to potential legal and/or regulatory sanctions. This is particularly important for businesses that have an online e-commerce platform or collect customer data online.

It also helps to provide guidance for staff around acceptable use of devices and online material so that they understand the important role they plan in protecting your company's cyber security.

A cyber security policy can also help in giving your customers confidence in your business and can, if relevant, be good to include on your company's website for this reason.

What does it Involve and Where do I Start?

There are a number of areas that a security policy should cover, including why it is important for your business to have one in the first place.  A basic security policy may include:

• Acceptable use of email and the Internet for staff - should certain websites be blocked to staff? Should there be a restriction on the size of email attachments?

• Protecting your mobile - have you articulated that a work mobile device should not be shared? Or that nay mobile on which you can access work emails or information must be PIN or password protected?

• Handling sensitive data - who and how should sensitive data be handled and stored? You may need to consider whether there should be restrictions on access to sensitive information ("user privileges").

• Securing and handling equipment - is there a system in place to track who is using equipment in the organisation? Is there an inventory of all IT equipment and software?

• Using the Internet safely - what system is in place to ensure anti-virus, anti-spyware, operating systems, web browsers and other software are kept up to date.

• Remote access - what is the system to ensure security is maintained while accessing work documents from the road or at home?

• Are there policies regarding things such as use of USB drives, CDs, DVDs etc to ensure that malware is not introduced (and important data is not stolen).

• Workplace surveillance and monitoring policies - how can you ensure that your policies are being followed by staff, and are there clear disciplinary procedures in place to deal with consequences of a breach?

• Guidelines for customers - what's your business policy on what will and will not be sent via email in order to minimise exposure to phishing scams?

In addition it can be useful to have:

• A process for reporting security breaches - this may be confidential if you feel there is a scenario whereby it could be difficult for employees to speak out.  For example, an employee is aware that a colleague lost a device containing sensitive information but is yet to report it.

• Develop a code of conduct - this would outline appropriate employee behaviour in the workplace.

• Develop an incident management plan (refer to How to establish an incident management plan)