Cyber Security Policies

by NEBRC Ethical Hacker, Jade McDonald


What are Cyber Security Policies?

Cyber Security policies help to set out clear guidelines for use within an organisation to help make decisions and to minimise risk to the company. These guidelines can help to inform senior management during their decision making and they can also help employees in their day-to-day tasks.


Why are they Important?

Cyber security policies provide a guide for employees and other end-users on how they should access internet resources, online applications and how they should transfer data over networks and in other instances by practicing good security. Policies can be used by employees while completing day-to-day tasks that ensure they comply with laws and regulations while allowing the company to achieve its goals.


Policies have many great benefits for an organisation. For example, reducing the occurrence of cyber-attacks by having the right measures in place within an organisation, and giving clear guidelines on what to do in the event of a cyber incident. The bottom line is they can help protect the company data, which often includes personally identifiable information of customers.


If you have none, how might you start creating them?

In the perfect world, a companies cyber security policy should be documented, reviewed, and regularly maintained. The first place to start is to consider Cyber Security regulations that have been set out by the government, these regulations can provide the backbone of a cyber security policy. When looking at these regulations it is important to ensure you are operating within the law, for example for a company dealing with sensitive personal data, the data must be encrypted to suit GDPR.


The policy should outline what systems should be in place to protect important data from attacks. Said systems inform company staff on how they must protect the data and who will be responsible for protecting it.


Recommended contents of a cyber security policy:

  • Implemented Security Programs

  • How updates and patches will be installed to reduce attack surface and to cover vulnerabilities

  • How Data will be backed up

  • Policy Issuer

  • Who will maintain the Policy?

  • Who will train users on security awareness?

  • Who is responsible for responding and resolving security incidents and how this will be resolved?

  • Which users have admin rights and which users have what controls.

Lastly, having a successful Cyber Security Policy in place will rely on documenting and distributing the policy to the employees, training users, and holding users who fail to follow the guideline accountable.


A careless approach to Cyber Security Policies can cost an organisation a lot of money, which could be in fines, legal fees, settlements, loss of public interest (damaged reputation) and brand degradation. Conversely, having the right polices can actually help grow your business and provide assurance to external bodies that you are doing the right thing with people’s data.


The NEBRC offers a Security Policy Review Service, this service reviews companies’ current security policies in place, assesses them and provides recommendations. For more information on this service the link to the NEBRC website is: https://www.nebrcentre.co.uk/copy-of-security-awareness-training