Cyber Security Policies for Small Businesses

All businesses need cyber security policies. But if you’re running a small business, it’s particularly important that you take steps to protect yourself against the risks of cybercrime.

Why? Because studies show that cyber-criminals are more likely to target small businesses over larger businesses. Indeed, one study found that up to 96% of all cyber attacks are focused on SMEs.

In this post, we’ll outline the key things to include in a cyber security policy for small businesses.

But remember – while a cyber security policy can make a huge difference in keeping you safe online, cybercriminals are getting smarter all the time. So as well as an intelligent cyber security policy, you should also consider dedicated cyber insurance for your business. It could prove to be your last line of defence, as well as your most powerful weapon, against the threat of cybercrime. 

If you run a small business it’s important to have a cyber security policy

What To Include in Your Small Business Cyber Security Policy

Policy Purpose

To begin with, outline why your cyber security policy exists: To safeguard your business’s data and technology.

Also outline the risk your business might be facing. You could link to some of the two studies we linked to above, for example, to show that no business is safe from cybercriminals.


Define who your cyber security policy applies to. This could include all managers, employees, contractors, volunteers, trustees, and more. In short, anyone who gets either permanent or temporary access to your data, your systems, and your technology.

Also take this opportunity to outline some key individuals in your organisation, and their key responsibilities. For example, specify a point of contact employees should approach if they have any questions about cyber security.

Understanding the Risks of Cyber Attacks

Explain that cyber criminals target confidential data, and that everyone has a responsibility to keep this data safe.

Provide some examples of what constitutes confidential data in your business. This could include customer details, financial information, supplier and partner information, and so on.

What follows should be a series of instructions all employees can take to help avoid security breaches.

Protecting Personal Devices and Company Devices

Explain that every time an employee uses any device to access business emails or accounts, they’re creating a potential security risk.

Then list some steps employees can take to keep the devices they use secure:

  • Use password protection, and two-step authentication where possible. Never use the same password across numerous devices, apps, and platforms.
  • Use a good antivirus software, and keep it updated.
  • Always install browser and system security updates as soon as they become available.
  • Where possible, access company accounts via a virtual private network (VPN).
  • Never leave any devices unattended. Turn off your screen and lock your device whenever you’re away from your desk.
  • Avoid accessing sensitive data from other people’s devices, and never let anyone who doesn’t have appropriate clearance use your device for any reason.

Safe Browsing and Scam Awareness

Most business cyber attacks start life as phishing attacks. Cybercriminals send an email that looks authentic. It claims to be from a trusted institution (such as a bank or a shopping site), or from a senior member of staff.

This fake email will encourage recipients to take some kind of action – to either log in to a phony site, or to go through a false “password reset” process. Doing this provides hackers with login details, which leaves businesses extremely vulnerable to future cyber attacks.

So provide some advice on safe browsing and email etiquette:

  • Remember that on the internet, if something seems too good to be true, then it almost certainly is. So you should be instantly suspicious of any messages telling you you’ve won a prize.
  • Check and double check the names of anyone who’s sent you an email. For example, an email might claim to be from your bank, but the email address might suggest otherwise.
  • Look for telltale signs of inauthenticity, such as spelling and grammar mistakes.
  • Bear in mind that banks will NEVER request sensitive information via email.
  • Hover your mouse over links in emails before you click them. This should display the destination URL at the bottom of your browser. Does it look legitimate?
  • If you have any doubts, don’t click any links in suspicious messages.

Take this opportunity to remind employees of their key point of contact who they should approach if they’re unsure about any messages they receive.

Cyber Security Crisis Response

Your cyber security policy should outline the steps employees should take in the event of a cyber security risk.

Cyber security risks might include:

  • Loss or theft of a device.
  • Accidentally clicking a link in a phishing email.
  • Inadvertently sharing sensitive information with a fake phishing site.
  • Giving device, data, or system access to an individual without appropriate clearance.

Tell employees who they should report to in the event of a possible breach, and also advise on actions they can take in the short term. This might include disconnecting devices from the internet, changing passwords, and running malware scans.

Cyber Security for Remote Workers

If you have a team of remote workers, highlight that all of the guidance applies to them too. Also share whatever extra steps you need them to take to securely access sensitive business data online. This might include using a VPN, or using dedicated business devices as opposed to their own devices.

Get Dedicated Cyber Insurance

Cyber insurance is your ultimate line of defence against cyber-attacks. A cyber security policy can act as a great preventative measure. But with cyber insurance, you’ll be able to rest assured that, no matter what happens to you or your business online, you’ll be covered for any losses, leaving you free to focus on your recovery.

Read our full guide to what cyber insurance is, and what it covers.

If you have any questions or would like to discuss your options, please contact our Tapoly team at, call our helpline on +44(0)207 846 0108 or try our chat on our website.