Create a cyber protection policy for your small business using our free template

This guide will provide you with the advice and template you need to create a cybersecurity policy for your organization, helping to prevent attacks and protect your business.

Small businesses (SMBs) make up 99.7% of all US businesses, and they’re under increasing attacks from hackers and malicious software. As such it’s more important than ever to get the right protection by having a comprehensive security policy in place.

The purpose and benefits of a cyber protection policy

The purpose of creating a cyber protection policy for your small business is to outline the resources and actions necessary to ensure business continuity and to protect your data. As a result, your staff will be better informed and able to take appropriate action to prevent attacks. Not only this, but your customers or clients will be reassured by working with a company that takes data protection and online security threats seriously.

Prominent threats to small business range from phishing, ransomware, and social engineering attacks to leaks from connected IOT (Internet of Things) devices. In 2017, software and hardware attacks accounted for almost 70% of data breaches worldwide:

  • 62% involved hacking
  • more than 50% involved malware

Avast was responsible for blocking over 122 million WannaCry ransomware attacks in 2017. Along with the Petya and Bad Rabbit ransomware attacks, the joint cost to consumers and businesses amounted to more than $5 billion.

Ponemon Institute’s 2017 Study recorded the average loss due to data breaches as $3.6 million globally, and $7.35 million in the US alone. However, attacks not only threaten income, but also cause disruption by having a massive impact on productivity - many working hours are lost trying to resolve issues. And this is all before considering the damage to a business’s reputation.

The good news is that adequate network protection from such costly cyberattacks doesn’t have to be expensive. What’s more, as most cyberattacks tend to exploit basic vulnerabilities in systems, they are easy to prevent with antivirus software, patch updating and staff awareness training.

A cyber protection policy means your staff will be better informed and able to take appropriate action to prevent attacks

Endpoint security

The computers used in your business are also known as ‘endpoints’, and each of them pose a threat to the security of your whole network if they’re not properly protected - they are an open door to hackers and malicious code. As such, endpoint security is one of the best places to start when looking to protect your network, especially with the rise of flexible working meaning that more employees can access systems remotely from home or open Wi-Fi networks. It’s essential that all your endpoints are secure because your network is only as strong as your weakest link.

Endpoint security offers a safety net to stops attacks at their point of entry. If they do manage to get a foot in the doorway, the antivirus software will ensure other machines in the network are not also infected.

IT teams value the advanced threat detection these security solutions provide while the centralized system simultaneously reduces the complexity of protecting the business.


  • The business should have up-to-date endpoint protection that includes:
    • Malware detection - automatic file and email scanning to ensure that potential threats never enter the business network.
    • Multi-layered protection – not relying on a single method of protection but many e.g. firewalls, encryption, workstation authentication, spam filters etc.
    • Real-time notifications – it is essential that any threats are flagged as soon as they are detected so that you can take action.
    • Remote device management - the ability to securely add a device to the network without running around the office logging on to the new computer.
    • Simple reporting – straightforward analysis that doesn’t take an IT expert to decipher.


The rise in mobile threats comes on the heels of an increasingly mobile workforce. As such, the need for a comprehensive security policy is paramount.

Some businesses issue mobile devices, while others allow employees to bring their own devices (BYOD). While the latter is cheaper for businesses, it means SMBs have less control over the device: what software and apps are downloaded, what information is shared, and what potentially unsecure Wi-Fi is used.

All of these can put your business at risk. For example, if an employee is emailing sensitive data from their phone, and they use unsecured Wi-Fi, that data could be seen and/or stolen if there are cybercriminals looking to intercept unsecure communications. If they download an unsecure app or click a malicious link, you may be giving these cybercriminals access to everything the employee has access to, including the possibility of corporate data being transmitted and even stored on an individual's personal device.

The potential issues range from data loss via a leak or loss of the device itself, to the damage that compromised devices cause when introduced to a centralized system. When staff members bring in their own mobile devices, they in turn are introducing attack points which can lead to security concerns.

This doesn’t mean that you suddenly need to fork out for expensive company-supplied devices for all your employees. But there are some basic BYOD guidelines you and your staff should follow.


  • All devices must have access authentication:
    • Passwords should be complex - uncrackable! The best way to ensure your staff adhere to this is to provide or recommend a password manager that generates strong passwords and stores them. This is preferable to staff writing passwords on post-it notes, which can be easily lost or stolen.
    • Where possible, staff should use two-factor authentication to access their devices. (For example, using login details on a desktop then confirming who you are via an app on your phone.)
  • Only devices used for work purposes should be connected to the network. You may consider setting up a separate ‘guest’ network to ensure any devices being used for personal reasons don’t threaten the business network. If this isn’t possible, ask staff using the network to switch to data before using their device for personal reasons.

Staff training

A vital preventative measure to protect your business from data breaches and cyberattacks is to ensure your team completes cybersecurity training. By understanding the types of attacks - such as phishing, malware and ransomware - they will be better equipped to spot any suspicious activity and report it immediately.

Training your employees to spot a malicious email, link or attachment, for instance, is crucial to avoid data breaches caused by human error or individuals falling into cybercriminals’ traps and putting the company at risk. Encouraging employees to keep their apps and programs up to date will further strengthen your defences as new patches continually improve software security and tackle weaknesses. Alternatively, consider investing in trusted patch management software that reduces the need to manually check for updates.


  • Cybersecurity awareness should be part of the induction process for new staff. Ideally, this should cover:
    • What is most at risk. This is usually money or access to funds, anything that includes personal identifiers (customer or staff database,) payment information, intellectual property and anything that could compromise the brand’s reputation.
    • Who can access what. If an employee needs to access a certain database or sensitive information, they should request this from a senior staff member. If they no longer require access, they should ensure their access is revoked. The fewer staff accessing at-risk information, the more secure the information will be.
    • What to look out for. Slow devices, difficulties logging in, internet connectivity issues and website redirects can all be signs of a potential cyberattack or data breach. Employees should also be vigilant when opening emails – deleting any from suspicious-looking accounts, and only clicking links or opening attachments from people they know.  And reporting these items to their IT person.

Cloud security

Many small businesses work in the cloud – storing their data through internet services rather than on a device or server in the office. Google Drive, for example, can be a much more attractive prospect to a cash-strapped SMB than paying for an expensive management system.  However, being able to access your business files anywhere and at any time comes with its risks.

Cloud security adds an extra layer of protection as traffic is filtered before it reaches the central server. Routing traffic through the cloud allows it to be monitored, checking for threats outside your system which allows your antivirus software to decide whether traffic is trustworthy or not, before it has access to your systems and network. This means malicious traffic can be blocked so it doesn’t reach your server(s), and it’s run from a centrally managed console.

Although cloud security can detect and resolve issues, there are processes that should be in place to ensure it protects your business. Issues arise over accessibility when network access is granted too freely. A prime example of this is when staff members leave the company, yet maintain access to business systems. Taking precautions such as regularly updating strong passwords and limiting the number of people who have access to sensitive data can dramatically increase security.


  • Keep a record of what access is granted to which staff. When a staff member leaves, review this database, revoking access where necessary, even if you are deactivating their staff email account. For extra security, make it standard practice to update all passwords after any staff member leaves.

Data compliance

Depending where your business operates and in what sector, there will be government-supported compliance schemes that you must follow. For example, in the US, health care and medical insurance companies must adhere to HIPAA, the Health Insurance Portability and Accountability Act. In Europe, information must now be stored and accessed according to the General Data Protection Regulation (GDPR.)

The assumption is that data compliance is about protecting personal information – reassuring your customers that their data is kept securely and not shared without consent. More than this though, data compliance is an opportunity for you to protect your business from cyberattacks as secure data is harder for cybercriminals to access.


  • List any relevant data compliance regulations your business must follow and ensure staff has access to the relevant documents.
  • There can be a lot of legislation to decipher, so consider naming a person within the organization to be a lead for data compliance. This person should have additional training and be known to all staff as the go-to employee for data protection questions.
  • Conduct internal audits. This doesn’t need to be an arduous or intimidating task. It is simply a way to keep everyone in your small business thinking about data security.


With over 4,000 cyberattacks a day, it’s never been more important to keep your data, customers and employees safe with a security system that effectively protects your business. But as this article has shown, endpoint protection is not enough on its own – staff training and data management best practice must be part of the mix. By using our guide as the foundation for your policy, you can get off to a good start on ensuring the reputation and financial success of your small business.

Download your free cybersecurity policy template by clicking here.

--> -->