← Back to Blog
Cybersecurity

Does Your Small Business Need a Cybersecurity Policy?

17 February 2026

When small business owners hear "cybersecurity policy," they picture a 50-page enterprise document written by lawyers and read by nobody. That's the enterprise version. The small business version is a 2–3 page document that everyone actually reads, understands, and follows.

A cybersecurity policy isn't bureaucracy — it's a clear set of rules for how your team handles technology, passwords, data, and security. Without one, security decisions are made inconsistently, based on whatever each person thinks is reasonable. With one, everyone's on the same page.

What to Include

1. Password Requirements

State the rules: all accounts must use unique passwords generated by the company password manager. No reuse, no shared passwords, no writing passwords down. Minimum 16 characters for generated passwords. MFA required on every account that supports it.

2. Device Usage

Company data should only be accessed on managed devices. If personal devices are allowed, specify the conditions: must have encryption enabled, must have a screen lock, must be running a supported operating system. Lost or stolen devices must be reported immediately so they can be remotely wiped.

3. Email and Communication

Don't click links in unexpected emails. Verify unusual requests (especially financial ones) through a separate channel — if someone emails asking for a payment, call them to confirm. Report suspicious emails to IT rather than deleting them. Don't forward work emails to personal accounts.

4. Data Handling

Client data stays in approved systems (SharePoint, OneDrive, your CRM) — not on local desktops, personal drives, or USB sticks. Sensitive data (financial records, personal data, contracts) should be in access-controlled folders that only authorised people can reach. When data is no longer needed, it should be properly deleted, not just moved to a "Misc" folder.

5. Software and Applications

Only approved software should be installed on company devices. No downloading random tools from the internet. If someone needs a new application, they request it through IT so it can be vetted and deployed properly. Automatic updates must be enabled and not deferred.

6. Incident Response

If someone thinks they've clicked a phishing link, entered their password on a suspicious site, or noticed unusual activity on their account, they should know exactly what to do: who to contact, what to report, and what not to do (don't try to fix it yourself, don't delete evidence, don't ignore it).

7. Leavers and Access Revocation

When someone leaves the company, their access must be revoked on the same day. Accounts disabled, devices collected and wiped, shared passwords rotated. No exceptions, no "we'll get to it next week."

How to Write It

Keep it short. Use plain language. No technical jargon, no legal phrasing. Write it as if you're explaining the rules to a new starter on their first day — because that's exactly how it should be used.

If someone can't read and understand the entire policy in 10 minutes, it's too long.

Structure it as a series of clear statements: "All accounts must use MFA." "Lost devices must be reported within 1 hour." "Software must be approved by IT before installation."

Getting People to Follow It

The best cybersecurity policy in the world is useless if nobody reads it. Here's how to make it stick:

  • Include it in onboarding. Every new starter reads and acknowledges the policy on day one.
  • Keep it accessible. Pin it in a Teams channel or a shared drive — somewhere people can find it in 10 seconds.
  • Review it annually. Update it when your tools or processes change.
  • Lead by example. If the directors don't follow the policy, nobody else will either.

Key takeaway

A cybersecurity policy doesn't need to be complicated. It needs to be clear, practical, and followed. Two pages that everyone reads beats fifty pages that nobody does.

If you'd like help drafting or implementing one, our cybersecurity team can assist.

Want to talk about this?

Book a free 15-minute call and we'll discuss how this applies to your business.

Book a Free Call

Get IT tips in your inbox

Practical advice for small businesses. No spam.