← Back to BlogBusiness Security

How to Write a Cybersecurity Policy for Your Small Business (Template Included)

How to Write a Cybersecurity Policy for Your Small Business (Template Included)

"Cybersecurity policy" sounds like something that belongs in a 200-page corporate compliance document. But for a small business, it can be a single, readable page — and it can make a meaningful difference to your security posture.

Here's why you need one and what to put in it.

Why does a small business need a cybersecurity policy?

  1. It sets expectations. Staff know what's expected of them. No grey areas.
  2. It creates consistent behaviour. Instead of each employee making their own judgment calls, everyone follows the same process.
  3. It protects you legally. If a breach occurs, having a policy demonstrates reasonable steps were taken.
  4. It's required for some certifications and contracts. Increasingly, larger clients or government contracts require evidence of cybersecurity practices.

The key sections every small business policy should include:

1. Password requirements

  • Minimum password length (14+ characters recommended)
  • No password reuse across accounts
  • MFA required for all business systems

2. Device security

  • All business devices must have automatic updates enabled
  • Screen locks required after a period of inactivity
  • No work data on unmanaged personal devices without approval

3. Email and phishing

  • Staff must not click links or open attachments from unexpected sources
  • Suspicious emails must be reported to [IT contact/manager]
  • Credentials should never be provided via email

4. Payment and financial processes

  • All bank detail changes must be verified by phone before updating records
  • Payments above [threshold] require two-person approval
  • No financial actions based solely on an emailed request from "management"

5. Data handling

  • Customer data must not be shared externally without authorisation
  • Work data must be stored in approved systems only (not personal email or drives)
  • Sensitive data must not be sent unencrypted

6. Incident reporting

  • Any suspected breach, phishing click, or suspicious activity must be reported to [contact name] within [timeframe]
  • No retribution for good-faith reports

7. Acceptable use

  • Business devices are for business use
  • Public Wi-Fi usage for business applications requires a VPN

Template structure:

> [Business Name] Cybersecurity Policy > Version: 1.0 | Last reviewed: [Date] > > This policy applies to all staff, contractors, and anyone accessing [Business Name] systems. > > [Insert the sections above, adapted to your business] > > I acknowledge I have read and understand this policy. > Signature: __________ Date: __________

Review the policy annually and have all staff sign it. That's it. Simple, practical, and defensible.

Build on your policy with team training at Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →