1. Home
  2. /
  3. Cyber insurance
  4. /
  5. Small Business Cyber &...

Small Business Cyber & Information Security Policy Template

Oct 22, 2020

At Anthony Jones we strongly believe that anyone who runs a business with any reliance on systems and data must protect their online presence.

Sadly, cybercrime is a growing issue and one that can affect a business of any size. Your business must be aware of and acknowledge the potential risks it poses to your business. Don’t make the mistake of thinking cyber criminals only target large businesses.

It is important to put in place measures to protect your IT infrastructure as well as to educate your staff given the role human error can play in cyber breaches. As a business, consider implementing a cyber and information security policy which provides clear information on how to mitigate cyber security risks.

What is a cyber and information security policy?

The ultimate aim of a cyber and information security policy is to provide clarity about what is expected of employees when it comes to data security and use of company systems and applications. It should help them understand how they can maintain the security of both data and applications.

A cyber security policy provides clear guidelines around a range of behaviours such as:

  • How to transfer company data
  • The use of company issued devices
  • The use of personal devices

What should a small business cyber & information security policy template include?

The exact contents of a small business cyber and information security policy will vary according to the risks identified through your risk assessment.

Some of the common areas to include in a cyber and information security policy are covered below along with examples of the types of policy detail you may want to think about.

Device Security 

Company Devices

It is vital that employees maintain the security of company issued devices, To achieve this consider areas such as:

  • All company devices to be protected with an adequate password (see password management below)
  • Company devices to be updated with the latest software releases and patches
  • Devices to be locked when not in use or unattended
  • Devices to be appropriately secured before employees leave desks and overnight
  • Gain approval for removing devices from company premises
  • Adhere to company policy regarding the installation of third-party applications and personal use
  • Employees to take responsibility of company devices if removed from the business premises. IT to be notified immediately if the device is lost or stolen so that they can take the appropriate action

Personal Devices

If personal devices need to be used to access work information, then it is important that users adhere to relevant guidance around own device use.


  • Personal devices must be password protected in line with password management guidance
  • Employees to carry out only permitted tasks on a personal device
  • Devices must have a full anti-virus software installed with all of the latest updates made
  • Only make use of secure and private networks to log into company systems
  • Ensure devices are secured and not left unattended at any time

Email Security  

A significant number of cyber-attacks are launched via a technique known as phishing. And one of the most common ways to send a phishing attack is via email. Ensuring email security is therefore important in avoiding becoming victim of one of these types of attack

Actions you can ask employees to take when it comes to email security include

  • Verifying the legitimacy of an email – is it from who it suggests it is from? Check the sender name, email address etc
  • Avoid opening attachments or clicking on links included in emails which appear suspicious.
  • Avoid opening emails with clickbait titles
  • Look out for any significant errors relating to grammar in emails. This can be a sign of suspicious activity
  • Report any suspicious emails to your IT department as soon as you are able to do so

Password management 

Passwords form one of the first lines of defence when it comes to security. But if passwords are compromised this can create issues across the IT infrastructure.

Password management policy should include:

  • Passwords should be a minimum of 8 characters in length
  • Do not use common passwords or one-word passwords – e.g. password, abcdefgh, Iloveyou
  • Do not reuse your company password for non-work-related purposes
  • Make use of multi factor authentication where it is made possible.
  • Do not share passwords with another employee. You must have an individual account for any company applications or systems that you make use of. If this is not possible, then consult a security specialist regarding the best way to manage shared access
  • Do not write passwords down. If the business has implemented a password management tool, then employees should make use of this

Secure Data Transfer 

Your cyber and information security policy should detail the steps required of employees when it comes to data transfer. Not only will this help from a cyber security perspective but also help fulfil your data protection duties under GDPR.

There are risks associated when transferring confidential data internally or externally. To minimise these risks, consider areas such as:

  • Only transfer confidential data to other employees or third parties when absolutely necessary
  • Only transfer confidential information over company networks
  • Verify information relating to the recipient and ensure that they have sufficient security measures in place on their side before sending the data
  • Gain sign off from a member of senior management for the data transfer
  • Discuss any data transfers with a security specialist from the business before going ahead to ensure that it is done in a way that complies with company policy. E.g. the correct form of encryption is used for the data transfer, and the correct transfer method is used
  • Ensure that data transfers take place in accordance with GDPR and any confidentiality agreements which may be in place

Cyber security is only going to get more important as cyber criminals thinks of new ways to target businesses and look to exploit situations such as the Coronavirus pandemic. One crucial way to protect your business alongside employee policies and a robust security infrastructure is cyber insurance. Cyber insurance can provide a valuable safety net if you should suffer a breach covering areas such as hacker damage, extortion and ransom costs, cyber business interruption and many more. For more information talk to us today at Anthony Jones on 0208 290 9080 or email us at cyber@anthonyjones.com.

Get a Quote

You can call us during normal office hours, Monday to Friday, 9am to 5pm. Outside of office hours you can either email us or leave an answerphone message and we promise to get back to you the next working day.

General enquiries:
020 8290 4560

Sign up for news

* indicates required