Creating a cyber security policy for your business
A cyber security policy outlines the assets you need to protect, the threats to those assets and the rules and controls for protecting them and your business. The policy should inform your employees and approved users of their responsibilities to protect the technology and information assets of your business. Some of the issues the policy should cover are:
- the type of business information that can be shared and where
- acceptable use of devices and online materials
- handling and storage of sensitive material.
Businesses who don’t have a cyber security policy in place could be leaving themselves open to attacks and legal issues.
Quick tips on what to include in your cyber security policies
You should develop, review and maintain your cyber security policy on a regular basis. The policy needs to outline which systems you need to protect critical data against attacks and who is responsible for protecting it.
A cyber security policy should include guidelines on:
- Password requirements –
- how to store passwords correctly
- how often you need to update them
- the importance of having unique passwords for different logins.
- Email standards –
- when it’s appropriate to share your work email address
- only opening email attachments from trusted contacts and businesses
- how to block junk, spam and scam emails
- deleting and reporting suspicious looking emails.
- Handling of sensitive data –
- when you can share sensitive data with others
- storing physical files in a locked room or draw
- properly identifying sensitive data
- destroying any sensitive data when it is no longer required.
- Locking computers and devices –
- when to physically shut down computers and mobile devices when they aren’t in use
- locking screens when they are left unattended.
- Handling of removable devices –
- how to protect data stored on removable devices like USB sticks
- restricting the use of removable devices to prevent malware from being installed
- scanning all removable devices for viruses before they are justified to connect to your business systems.
- Handling of technology –
- where employees can access their devices such as a business laptop away from the workplace
- how to store devices when they aren’t in use
- how to report a theft or loss of a work device
- how system updates such as IT patches and spam filter updates will be rolled out to employee devices.
- Social media and internet access standards –
- what is appropriate business information to share on social media channels
- which channels and newsletters are appropriate for employees to sign when using their work email account
- guidelines around which websites and social media channels are appropriate to access during work hours.
- Managing incidents –
- how to respond to a cyber incident
- what actions to take
- the roles and responsibilities on how to deal with the cyber attack.
Ensure that what you decide to put in your cyber security policy helps guide your employees around the use of:
- online transactions
- online interactions
so they understand the important role they have when it comes to your business’s security.
Find out more:
- Check out our tips on preparing a cyber security incident response management plan to help you prepare for and respond to an incident fast and effectively.
- Read our page on keeping your business safe from cyber threats to help you keep your technology and business information secure.
- Head to the Australian Cybercrime Online Reporting Network (ACORN) to find out more about cybercrime or report a cyber attack.
- Subscribe to the Stay Smart Online Alert Service to receive up-to-date information on cyber security issues and solutions.
- Report a scam to Scamwatch online.