How to create your IT security policy as an SME

If you’re an SME owner, it’s often difficult to get everything you need to get done finished every day. For many of us, an IT security policy is something it’s easy to continually put in the “tomorrow” pile.

This is particularly easy to do when you’re starting from nothing. You might not have gotten much further than putting some password management in place or creating some nice email signatures.

But in a world where cybersecurity threats are very real and they cost SMEs millions of pounds every year, having a clear IT security policy is something that really needs to graduate to your “today” pile.

This policy will be your guidebook that lays out how you will protect yourself from the many cyber threats out there.

Crucially, it will also explain what you or your team should do in the event of all kinds of IT and security-related problems, minimising downtime and maximising productivity:

What is an IT security policy?

An IT security policy is a collection of rules for how you classify your business data and how you protect it. These rules are usually bundled together in a handbook that you and your team have easy access to.

The purpose of doing this is to make sure you are handling your cybersecurity systematically and effectively. This can help you:

  • Reassure clients that you are a safe pair of hands for their data
  • Acquire proof of your security to show potential investors or partners
  • Apply for government contracts (this requires cybersecurity certification, which in turn demands specific approaches)
  • Protect your business from ransomware and other immensely costly threats
  • Maximise productivity by ensuring your team knows what to do in the event of IT and security issues

How to create your IT security policy

Every IT security policy is unique to the business that made it. You have different numbers of permanent and contract, office and remote-working employees. Different networks. Different kinds of data that you use compared with others.

To start creating your own policy, it can be a good idea to:

1) Take stock of where you are right now

What have you done so far to protect your business? Some of the most important questions to ask yourself are:

  1. What is your current IT security policy?
  2. Do you have a classification system for the data you hold?
  3. How do you determine what sensitive data looks like?
  4. How do you manage and control that data?
  5. What protections do you have in place for that data?

2) Make a list of all the areas you need to cover

Your IT security policy basically needs to consider everything if it’s going to be effective. This means you will need to create policies for, among other things:

  • Network access, security, and authentication
  • Wireless access
  • Passwords
  • Patches and how to manage them
  • Data classification and management
  • Backups and managing them
  • Emails and email security
  • Mobile devices
  • The physical security of devices

3) Create a disaster or event response plan

Of course, your biggest goal when creating an IT security policy is to stop the bad things from happening in the first place. However, no policy is perfect.

Perhaps one unlucky employee leaves a laptop in a taxi. Perhaps one genius hacker manages to get access to your system and wants to ransom control back to you.

The key point is that your security policy means you will already have a plan in place should the worst happen.

Emergency scenario planning is one of the best things you can include in your policy handbook. This will include instructions for what you or your team should do in a whole range of emergencies, both common and – hopefully – incredibly rare.

  • Who to notify
  • How to contact them
  • What this means
  • What to do in the meantime
  • What not to do

When to start writing your IT security handbook

The ideal time to get started on your IT security policy is right now. It can feel like a mountain to climb. But once you’ve started, you will hopefully find that progress starts to snowball.

One thing’s for sure. Your customers, partners and potential partners – and your future self – are all going to be very grateful for your hard work now.

If this all sounds like too much, why not talk it over with an expert?

Dial A Geek has already helped over 1000 businesses in and around Bristol protect themselves and get better, more sustainable use out of their IT.

Set up a cost and commitment-free consultation with Chief Geek Gildas Jones today.

How can we help you?