Regardless of size, all businesses that use IT or online services should have a cyber security policy. It doesn’t even have to be a formal policy document, you simply need to choose the means and degree of formality that is right for your circumstances, as long as everyone who works for your business understands its key points.
There is an excellent analysis of how different types and sizes of business need different security structures in a guide for SMEs (small and medium-sized enterprises) produced by the Information Commissioner’s Office.
Regardless of how you document and distribute your policy, you need to think about how it will be used. A cyber security policy has three main functions:
- To tell people who don’t know what to do (and what not to do).
- To remind people who have forgotten or fallen into bad habits.
- To warn people what will happen if they don’t follow your policy.