How to Build a Cybersecurity Policy for Your Small Business

Most small businesses do not have a cybersecurity policy. They have informal habits. The IT person knows the wifi password rules. The office manager knows who gets admin access. Someone at some point decided that USB drives were fine. None of it is written down, none of it is enforceable, and none of it survives that person leaving the company. A cybersecurity policy changes that by putting your security expectations into a document that everyone can reference, follow, and be held accountable to. It does not need to be long. It does not need to be written by a lawyer. It needs to exist.

Why You Need a Written Policy

The most common reason small businesses create a cybersecurity policy is because something forced their hand. A cyber insurance application asked for it. A client’s vendor questionnaire required it. A compliance framework like HIPAA or PCI DSS mandated it. Or worse, a breach happened and the post-incident review revealed that nobody had agreed on what the rules were in the first place.

But the practical value of a policy goes beyond checking a compliance box. A written policy gives you three things you cannot get from informal habits.

First, it creates consistency. Without a policy, security depends on individual judgment, which varies wildly between employees. One person creates strong unique passwords. Another reuses the same password everywhere. One person reports suspicious emails. Another clicks the link and hopes for the best. A policy sets a baseline that everyone is expected to meet.

Second, it creates accountability. You cannot hold someone responsible for violating a rule that was never communicated. If an employee shares their credentials and it leads to a breach, your response is very different depending on whether you had a written policy prohibiting credential sharing versus an unspoken assumption that people would know better.

Third, it makes onboarding and training concrete. When a new employee joins, you can hand them the policy and have them acknowledge it. When you run security awareness training, you can tie it back to specific policy requirements. The policy becomes the foundation that everything else references.

What a Cybersecurity Policy Should Cover

A cybersecurity policy for a small business does not need to be a 50-page document. It needs to cover the topics that directly affect your security posture in clear, enforceable language. Here are the sections that matter most.

Acceptable Use

Define what employees can and cannot do with company systems, devices, and network access. This section should cover personal use of company devices, installation of unauthorized software, use of personal devices for work (BYOD), and access to company resources from public networks.

Be specific about what is prohibited rather than relying on general statements like “use good judgment.” Good judgment means different things to different people. If you do not want employees installing browser extensions on company laptops, say so. If personal email use on company devices is allowed during breaks but not for handling company data, say that. The same specificity now applies to AI tools – ChatGPT, Copilot, Gemini, and the rest of the consumer AI landscape are already in use at most SMBs whether IT has approved them or not, and the policy needs to address that directly (see your employees are already using AI at work for the scope of the problem and what an AI section of this policy should cover).

Password and Authentication

Define your password requirements and authentication expectations. This should include minimum password length and complexity, prohibition on password reuse across accounts, requirement for unique passwords on all business accounts, mandatory use of a password manager if you provide one, and MFA requirements for all business applications.

Specify which MFA methods are acceptable. If you have moved away from SMS-based MFA in favor of authenticator apps or hardware keys, the policy should reflect that. Make it clear that sharing credentials with coworkers is prohibited under all circumstances, even when it seems convenient.

Email and Communication

Email is the most common entry point for attacks against small businesses, so your policy needs to address it directly. Define expectations for handling suspicious emails: do not click links or open attachments from unknown senders, verify unexpected requests from known senders through a separate channel, and report anything suspicious to IT immediately.

Address email forwarding. Employees should not set up automatic forwarding of company email to personal accounts. Define rules around sending sensitive information via email, including whether encryption is required and what types of data should never be sent via email regardless of encryption.

If your business uses messaging platforms like Teams or Slack, extend the same principles to those channels. Attackers are increasingly using these platforms to deliver malicious links and files, and employees tend to be less cautious in chat than in email.

Data Handling and Classification

Define how different types of data should be handled based on their sensitivity. You do not need a complex classification scheme. Three levels work for most small businesses:

Public data can be shared freely. Marketing materials, published pricing, general company information.

Internal data is for employees only. Internal procedures, non-sensitive business records, general operational documents.

Confidential data requires specific protections. Customer personal information, financial records, health records, employee records, trade secrets, and credentials. Confidential data should only be accessed by employees who need it for their role, should not be stored on personal devices, and should be encrypted when transmitted or stored outside of controlled systems.

The key is that employees need to know which category their data falls into so they can handle it appropriately. If your accounting team does not know that customer payment information is confidential, they may handle it the same way they handle a meeting agenda.

Remote Work and BYOD

If employees work remotely or use personal devices for work, your policy must address the security implications. Define requirements for home network security (minimum WPA2 encryption on Wi-Fi, router firmware updates), VPN usage for accessing company resources, and restrictions on using public Wi-Fi for company work. A dedicated remote work IT policy is often the cleaner format when more than a handful of employees work remotely.

If you allow personal devices (BYOD), define the minimum security requirements: current operating system, disk encryption enabled, screen lock with PIN or biometric, EDR or antivirus installed, and company right to remotely wipe company data from the device if it is lost or the employee leaves. A standalone BYOD policy covers the full set of rules in more depth.

If you do not allow BYOD, state that clearly. Many security incidents stem from employees checking company email on unmanaged personal devices because nobody told them not to.

Vendor and Third-Party Access

Define how third-party vendors, contractors, and IT providers can access your systems. This should cover requirements for vendor security assessments before granting access, use of dedicated vendor accounts rather than shared credentials, time-limited access that is revoked when the engagement ends, and requirements for business associate agreements where applicable.

Vendor access is a common ransomware entry point, particularly through IT service providers with remote access to your network. Your policy should require that vendors use MFA, access only the systems they need, and have their access reviewed regularly. If your business uses Microsoft 365, guest access policies should be part of this vendor access section – defining who can invite external users, what resources they can access, and when their accounts are reviewed and removed.

Incident Response

Your policy should include a basic incident response plan that answers: who do employees contact if they suspect a security incident? What is the immediate response procedure? Who makes decisions about containment and communication? Who contacts your managed security provider, your cyber insurance carrier, and legal counsel?

This does not need to be a detailed incident response playbook, though having a written disaster recovery plan is valuable. It needs to ensure that when something happens, nobody wastes time figuring out who to call. The first hour of an incident matters more than people expect, and confusion about roles and responsibilities during that hour makes everything worse. The plan should also address physical disaster scenarios (fire, flood, hardware failure), not just cyber incidents.

Include a requirement that employees report suspected incidents immediately without fear of punishment. If someone clicks a phishing link and is afraid to report it because they think they will get in trouble, the attacker gets more time to operate. Create a culture where reporting is expected and valued, not punished.

Software and Patch Management

Define expectations for keeping software updated. Specify that operating systems and applications must be kept current with security patches, that automatic updates should be enabled where possible, and that employees should not delay or skip updates on company devices.

If your IT team or provider manages patching centrally, state that in the policy so employees understand that updates will be applied and should not be interfered with. If employees are responsible for their own updates (common with remote workers on personal devices), make the timeline clear. “Install security updates within 48 hours of availability” is enforceable. “Keep your stuff updated” is not.

Physical Security

Even in a digital-first environment, physical security matters. Define requirements for locking workstations when stepping away (Windows key + L should be muscle memory), securing laptops when traveling, restricting access to server rooms or network closets, and proper disposal of hardware and documents containing sensitive information.

If you handle printed documents containing confidential data, include shredding requirements. If employees take laptops home, include requirements for securing them outside the office.

How to Write It Without Overcomplicating It

Keep the language direct and specific. Write it for the least technical person in your organization. If a policy statement requires a technical glossary to understand, rewrite it.

Use “must” for mandatory requirements and “should” for recommendations. This distinction matters if you ever need to enforce the policy. “Employees must use MFA on all business accounts” is enforceable. “Employees should consider using MFA” is a suggestion.

Start with the sections above and keep each one to a page or less. A 10-page policy that employees actually read is more valuable than a 50-page policy that sits in a shared drive untouched. You can always add depth later as your business grows or as specific situations require more detailed guidance.

Framework References

If you want a structured starting point, these free frameworks provide guidance that scales to small businesses:

NIST Cybersecurity Framework (CSF) organizes security into five functions: Identify, Protect, Detect, Respond, and Recover. It is not a policy template, but it helps you think through what your policy should address. The framework is voluntary and designed to be adaptable to any organization size.

CIS Controls provide a prioritized list of security actions. The Implementation Group 1 (IG1) controls are specifically designed for small organizations with limited IT resources and map directly to the policy sections described above.

Both frameworks are available at no cost and are widely recognized by auditors, insurers, and regulators.

Keeping the Policy Alive

Writing the policy is the first step. Keeping it relevant requires ongoing attention.

Review annually at minimum. Technology changes, threats evolve, and your business changes. A policy written two years ago may not address current risks. Schedule a yearly review with whoever is responsible for IT and security.

Require employee acknowledgment. Every employee should read and sign the policy. This creates accountability and provides documentation that expectations were communicated. Include policy acknowledgment in your onboarding process for new hires.

Tie training to the policy. When you run security awareness training, reference specific policy requirements. When you run phishing simulations, connect the results back to the email and communication section of the policy. The policy should be the anchor that training reinforces.

Update when something happens. If you experience an incident, review your policy for gaps that contributed to it. If a new tool or process is adopted, update the relevant policy sections. Treat the policy as a living document, not a one-time deliverable. This is especially true for AI tools, which are shifting fast enough that most cybersecurity policies need a dedicated section now – see how to write an AI acceptable use policy for your small business for the structure and a sample outline, and what data are you feeding into AI tools for the data-handling side that the policy depends on.

Sequentur helps small and mid-sized businesses build security policies that are practical, enforceable, and aligned with frameworks like NIST CSF and CIS Controls. If you need help creating a policy from scratch or want to review an existing one, reach out through our contact page to get started.