When we get into cybersecurity, one of the first things any organisation or company should do is write a cybersecurity policy, one that is owned by all. Easy words to put down on paper, but what do they mean?

So, what is a cybersecurity policy? Well, it is defined in the Gartner IT Glossary as, “an organization’s statement of intent, principles and approaches to ensure effective management of cybersecurity risks in pursuit of its strategic objectives.”

CyberSmart, who deliver training for the UK’s Cyber Essentials programme add to the definition by saying, “These principles can inform the decisions senior management make or guide employees in their day-to-day activities. Any policy worth its salt should outline what employees should or shouldn’t do, offer directions on best practices, and guidance for decision makers.”

The key thing about any cybersecurity policy is not the rules the policy sets out but the framework for the culture within the organisation. The World Economic Forum, Global Risks Report 2022, indicates that, 95% of cybersecurity threats that people have faced have in some way been caused by human error. That is a factor that many people would need to think carefully about. It is how that error is dealt with that affects the impact of those breaches. A culture of fear is likely to mean fewer mistakes are reported, whereas a no blame culture is more likely to protect a business or organisation, so a policy is a critical document that either becomes a business enabler, or potentially a disabler.

With a business focus, the Federation of Small Businesses says, a cybersecurity policy should cover lots of areas, including:

  • The measures you’ve put in place to minimise threats.
  • What data will be backed up and how you will manage this.
  • Best practice processes, such (Read more...)