Northampton: 01604 657200    Daventry: 01327 317300

Chartered Accountancy help, support and advice in Northampton and Daventry



Cyber Security – Part Three

Welcome to part three of our short blog series on cyber security. If you have missed the earlier blogs please check out part one and part two. In the first two blogs we discussed various small steps you can take to protect your business from a security breach. In this blog we will talk about how to bring these steps together into a cyber security policy.

Why have a cyber security policy?

As reported in our last blog, according to a recent survey by the Department for Business, Innovation and Skills (BIS) 72% of companies where the security policy was poorly understood had staff-related breaches. 28% of the worst breaches were caused by senior management giving insufficient priority to security. These statistics show the importance of having a strong cyber security policy.

The function of a cyber security policy is to inform all staff what to do (and what not to do), and needs to detail what will happen if staff do not follow your policy. It needs to cover the objectives of the policy, why it is important and detail your key security controls. It also needs to state who has issued the policy, who is responsible for maintaining it and who is responsible for enforcing cyber security.

Creating your policy: A step by step guide

A cyber security policy should be tailored to the needs and requirements of your business. It should be issued by senior management who are ultimately responsible for updating and enforcing it. Internal or external experts can provide support to senior management. Clear communication of the importance of effective cyber security systems from those running the business will ensure the subject is taken seriously by staff and that they understand the need for the systems and the consequences of not following the policy. The list below details points to consider and include in your policy. However this is a general list, to be used as a starting point. So some items may not apply to you or you may wish to add further points to tailor it to your business.

  • Identify potential vulnerabilities
  • Consider whether you need to employ third party experts or whether cyber security will be handled wholly in-house
  • Check compliance regulations applicable to your industry to ensure your policy meets these
  • Detail your security programs and systems
  • Advise staff how to detect potential risks
  • Use passwords and set them to change regularly
  • Secure transfer of data if moving from device to device
  • Include rules for working outside of the office or on mobile devices
  • Include instructions on what to do if there is a security breach
  • Detail the disciplinary procedure that will be implemented if the policy is not followed by staff

Once the policy has been prepared circulate it to all staff and allow space for any questions or issues to be raised. You may also need to organise staff training at this stage, if necessary

It is important to remember that once you have created a cyber security policy and circulated it to staff this is not the end. Your policy needs to be a working document and reviewed regularly to ensure it still meets your business needs. Cyber security risks are constantly changing so your policy and strategies also need to evolve to protect you and your business from security breaches.


Technology is an important part of modern life and has made great advances in the way businesses are run and the reach we have to our customers. However this has not come without downsides, such as online scams, viruses and malware spread via the internet. Our series has detailed some of the small ways in which you can protect your business online. It has also hopefully highlighted the importance of simple steps. We hope you have enjoyed our series on cyber security and that you have found it informative and useful to your business.

Further Reading

Police Action Fraud website

Government 10 step summary on cyber risk management

ICAEW 10 steps to cyber security for smaller firms

Cyber Security Part One blog

Cyber Security Part Two blog

Andrew Picker



Leave a comment



Comments left on this post




Next Previous