Creating a Cybersecurity Policy

cybersecurityOne of the early steps a small business needs to undertake is the creation of a cybersecurity policy.  This is not a trivial undertaking, and taking a look at the information below will undoubtedly make this project look daunting to the average small business owner.  A good solution would be to find a cybersecurity professional with experience in policy creation and implementation and outsource this project to them.

Having the policy in place is one thing.  The next step is to train your employees to the policy, and explain the importance of cybersecurity to the survival of the business, and how to recognize threats and what to do about them as they arise.

Your cyber action plan should include:

  • Security roles and responsibilities – who is the go to person(s) in your organization?
  • Computer and Internet usage policy
  • Social media policy
  • BYOD policy
  • Employee training on cybersecurity with emphasis on social engineering, fraud, phone scams, and phishing
  • Malware protection
  • A vulnerability scan or penetration test performed by a qualified cybersecurity professional
  • Risk mitigation activities based on the findings of the security testing.

This process will take some time, and require a significant budget.  Ideally, this should be an iterative process where your cybersecurity team performs periodic reviews, provides continuing employee education, and suggests new strategies and solutions as new threats are manifested.  If you have been kicking the can down the road on this subject, the time to start is now.  The likelihood that your business network is experiencing a breach currently without your knowledge is actually pretty high, and getting this project underway is one way to discover the breach and remediate it.

More Information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.