Creating a cyber security policy

Creating A Cyber Security Policy

Investing time into the development of a detailed cyber security policy is essential in protecting confidential data, no matter how big your business is.

In fact, 43% of attacks target small businesses specifically, proving that no company is safe from these threats. An effective policy will help protect information, keep employees aware of risks and help minimise the damage done to your business by attacks should they occur. We cover every aspect of a cyber security policy to ensure yours is as effective as possible.

What is a cyber security policy?

A cyber security policy outlines guidelines that employees must follow in order to protect their company’s digital infrastructure, information and client data. Those expected to follow the guidelines laid out should include contractors, suppliers and other external stakeholders, regardless of the frequency of their involvement. It should also measure what the company itself is doing to protect the infrastructure against the threat posed by hackers as well as other types of system malfunction. Your cyber security policy should outline the assets that require protection, how employees must do so and any potential threats.

What should a policy contain?

While specific elements will vary for different companies, some of the basics should be included in all cyber security policies.

Guidelines for employees

Every cyber security policy should include an easy-to-read guide for employees, including: 

  • Advice on secure password generation and how to use password management systems, if applicable
  • Guidelines for secure use of emails, such as when to avoid opening attachments and when it’s appropriate to share your email address
  • How to detect and report phishing emails and scams
  • What social media usage is appropriate and how this will be regulated by the company
  • How to minimise security incidents and risks
  • Information for remote workers, such as network access

By including all of this information and regularly running through it with the team, your staff should be fully aware of how to protect their workplace from cyber-attacks. About 90% of attacks occur because of human error, so training your employees to be aware of these threats and what to look out for is vital.

Compliance with wider regulations

As well as specific rules and requirements for your employee, it’s important to follow standard GDPR regulations. While it’s wise to train your team to fully understand GDPR, some of the key components to include in the policy itself are: 

  • Obtain consent to transfer and keep data
  • Provide notifications in the case of a breach, which must be done within 72 hours
  • Offer users the right to both delete and access data
  • Provide a full explanation of rights
  • How to protect children’s data.

Systems and infrastructure

Note any programs you use to safeguard data, such as firewalls, antivirus software and data backups. Provide details on how they work as well as what they do to protect information and tips on how employees should use these programs, if applicable.

You should also include how your company trains IT workers in keeping digital systems safe from threats and vulnerabilities. Outline fully their role in both preventing a cyber-attack and what should happen if one does occur, ensuring they’re fully aware of their responsibilities. 

Cyber-attack response

Though important to work towards the prevention of a cyber-attack, it’s equally as important to know what to do should one occur. Ensure to detail the following: 

  • Whom is responsible for investigating the threat and securing the system
  • Preparing a timely response when informing clients of a data breach
  • What to include in a full report about the incident, detailing what has happened, how it could be prevented in the future and what data was compromised
  • Checking your cyber insurance coverage and contacting your provider
  • Informing and retraining employees in cyber security to keep their knowledge up to date.

Drafting a detailed policy regarding your response to a cyber-attack ensures you fulfil your obligations to clients and act in a responsible, lawful manner.

What happens if the policy is violated?

It’s important that employees are aware of the seriousness of an intentional policy violation and potentially mishandling sensitive data is. List the disciplinary actions that may be taken against them should they be found to have purposefully broken the cyber security policy.

No matter how detailed your security policy, mistakes can happen, and human error can always occur. If errors do occur, it’s worth taking another look over your policy to see if you can prevent this from happening again - and you should also take the opportunity to run through things with your team.

Updating and enforcing the policy

Keeping your policy up to date is vital in protecting your business against new threats. Get a member of the IT team on board with updating the policy with any potential issues that the company should be aware of. This will prevent the policy from becoming outdated over time and instead be a reliable document employees can refer to.

Insuring your business against cyber attacks

Should a targeted attack occur, even a robust cyber security policy may not be enough to protect you. With an ever-growing number of threats, investing in cyber insurance can add further safeguards and show clients you take these matters seriously.

What does cyber insurance cover?

While it does vary per policy, cyber insurance coverage can assist with the following:

  • Meeting ransom demands
  • Informing clients of data breaches
  • Paying legal costs and damages resulting from the attack, including client compensation
  • Compensating for loss of net profit
  • Restoring data and equipment
  • Assistance via a cyber response helpline

Who needs cyber insurance?

Any business that relies on computers, has a website or digitally stores sensitive data will benefit from cyber insurance coverage for all of the reasons above. It’ll give you peace of mind and support should something go wrong.


Having a cyber security policy is essential in protecting both your business and client data from threats. By being aware of what to look out for and how to report potential threats, your employees will be more equipped to handle them. Cyber insurance coverage, on the other hand, not only provides you with a wider sense of security and support, but also helps prevent serious financial damage occurring from the infiltration.


Business insurance from £5 a month