We use cookies to give you a better experience on our website. Learn more about how we use cookies and how you can select your preferences.
Create a cyber security policy
What is a cyber security policy?
A cyber security policy outlines:
- technology and information assets you need to protect
- threats to those assets
- rules and controls for protecting them and your business.
A cyber security policy is important for your business, particularly if you have employees. It helps your staff understand what they need to do to protect your business's devices and information.
Make sure your cyber security policy explains:
- the type of business information employees can share and where
- acceptable use of devices and online materials
- how to handle and store sensitive information
- how to detect and respond to a cyber security incident.
Consider the following steps when developing your cyber security policy.
1. Set passphrase requirements
A passphrase is a type of long password that uses several words. They are easy for people to remember but hard for criminals to crack.
Your cyber security policy should explain:
- requirements to create strong passphrases
- how to store passphrases correctly
- how often you need to update passphrases
- the importance of having unique passphrases for different logins.
-
Learn more about creating and managing strong passphrases.
Australian Cyber Security Centre
2. Outline email security measures
Include guidelines on:
- when it’s appropriate to share your work email address
- only opening email attachments from trusted contacts and businesses
- blocking junk, spam and scam emails
- how to identify, delete and report suspicious emails.
-
Know how to secure your email account and check if it has been compromised.
Australian Cyber Security Centre
3. Explain how to handle sensitive data
Your policy should outline:
- how to identify sensitive data
- when staff may share sensitive data with others
- ways they should store physical files with sensitive data, such as in a locked room or drawer
- how to destroy sensitive data when it is no longer needed.
-
Understand your obligations to protect customers' data.
Protect your customers' information
4. Set rules around handling technology
Rules around technology should include:
- where employees can use their work devices
- how to store devices when they aren’t in use
- how to report a lost or stolen work device
- how system updates are rolled out to employee devices
- when to shut down computers and mobile devices
- the need to lock screens when computers and devices are left unattended
- how to protect data stored on devices like USB sticks
- restrictions on using removable devices (to prevent malware being installed)
- the need to scan all removable devices for viruses before they can be connected to your business systems.
5. Set standards for social media and internet access
Your standards for social media and internet access may include:
- what business information may be shared on social media channels
- appropriate use of work email addresses
- guidelines around appropriate website and social media use during work hours.
6. Prepare for an incident
If a cyber security incident occurs, you need to minimise the impact and get back to business as soon as possible. You’ll need to consider:
- how to respond to a cyber incident
- what actions to take
- staff roles and responsibilities for dealing with a cyber-attack.
Prepare a cyber security incident response plan
An incident response plan helps you prepare for and respond to a cyber incident. It outlines the steps you and your staff need to follow. Consider the following stages when preparing a plan.
- Prepare your business and employees to be ready to handle cyber incidents.
- Develop policies and procedures to help employees understand how to prevent an attack and identify potential incidents.
- Identify the technology, information and financial assets that are important to your business. Consider the risks to these and the steps you need to take to reduce the effects of an incident.
- Create roles and responsibilities so everyone knows how to report an incident and what to do next.
Check and identify any unusual activities that may damage your business information and systems. Unusual activity may include:
- accounts or your network being accessible
- passwords no longer working
- data goes missing or is altered
- your hard drive runs out of space
- your computer keeps crashing
- your customers receive spam from your business account
- you start getting a lot of pop-up ads.
If you notice unusual activity, record any evidence and report it to the responsible team or person in your business. You can report cyber incidents to the Australian Cyber Security Centre.
- Find the cause of the incident as soon as possible.
- Determine the impact the incident has already had on your business.
- Determine what effects it could have on your business if not immediately contained.
- Limit further damage by isolating the affected systems. If necessary, disconnect from the network and turn off your computer to stop the threat from spreading.
- Remove the threat.
- Recover from the incident by repairing and restoring your systems.
- Identify if any systems or processes need to be improved. Make the necessary changes.
- Evaluate the incident and record the lessons you learnt.
- Update your cyber security incident response plan based on the lessons learnt.
7. Keep your policy up to date
Review and update your cyber security policy regularly to reflect any new threats or changes to your systems.
Read next
-
Find out how to keep your business safe from cyber threats.
Cyber security checklist -
Learn more about cyber security and your business.
Cyber security and your business -
Read the ACSC's cyber security resources for small businesses.
Australian Cyber Security Centre