Skip to content

Cyber Security Policy

Cyber Security policy for your business – what do you need to know?

It is important to have a cyber security policy if you own a business.  This is not only a guide and reference to be used internally with your employees, but also as a reference point to deal with any external data from customers. 

Your Cyber Security policy should be thought of as a moving, changing entity that will need to be updated regularly to keep up with technological advancements, and any changes within your business. 

What does your Cyber Security policy need to cover?

Firstly no two cyber security policies will be the same. Your Cyber Security policy will be unique to your business, depending on your particular type of business, and what kind of data you deal with. 

The first thing you need to do is to identify the particular risks for your business. If you are an accountant for example, your focus is on how you deal with customers’ personal information, bank details, IRD number etc. 

Once you have worked to clarify your specific risks, you can then prepare for what to do if something goes wrong. Our team has knowledge of a wide variety of industries, and will be able to assist you to clarify what you need to be mindful of. 

Having a clear plan in place, means that everyone in your organisation knows what to do, who is responsible for what, and what processes you have in place to mitigate the risks.  

You will also need to create two cyber security policies. One, an internal one for employees, and the second one is a public one for customers. 

What needs to be included in the Policy?

The below information has been taken from the Cert nz website

Cert NZ suggests that you break your internal policy down into different areas.


This should cover how you handle data safely and securely — both your business’s data and your customers’. Think about:

  • how much to collect
  • where you’ll store it (locally or in the cloud)
  • how to protect it, for example keeping data at-rest (when stored) and in-transit (when communicating) encrypted
  • how often you’ll back it up, and who’s responsible for doing backups.


It’s important to identify what systems you have, and which ones are critical to your work. Consider:

  • setting some rules around updating, or patching, your systems — how to make sure they’re done regularly and who’s responsible for making sure it happens
  • what systems your staff can use, including any cloud applications or software running inside your business’s network
  • how much access your staff need to your systems. You should make sure your staff only have the minimum level of access in each system they need to do their job. This is what’s called the ‘principle of least privilege’.

Security and protection

Security and protection covers how your staff and customers access your systems and data. It means thinking about:

  • how they can access your systems. For example, your staff may want to work remotely. They should do this by using secure tools, like VPN with 2FA.
  • how they authenticate themselves on your system. This includes your password policy and use of two-factor authentication
  • what devices your staff can use at work. This covers whether staff can use personal devices for work, or if you’ll provide devices to them.

People and users

You need to think about what you consider to be acceptable use of your business’s systems. How do you expect your staff and your customers to interact with them? Make sure you set expectations so they know:

  • what their responsibilities are
  • what kind of things they should report to you
  • how you expect them to take ownership of their accounts and their devices.

Physical devices and systems

When you think about protecting your business’s devices and systems, make sure you cover both:

  • protection against loss — if something is stolen, and
  • protection against the environment — for example, if your business is flooded during a storm and your devices are water damaged.

You can set rules around how your staff can protect their devices against theft by defining guidelines for their use. As an example, you could have all staff protect their devices by:

  • having strong passwords on them
  • using device encryption
  • setting rules for them about use outside the office.

Problems and incidents

You’ll need to define what you and your team will do when things go wrong. This means creating an incident response plan to map out what you’ll do during, and after, a security incident. It can be a stressful time for both you and your staff, so it’s good to be prepared in advance.

What next?

The Ultra IT team are used to helping companies like yourself with creating a Cyber Security policy for your business. Reach out to us here and we can assist you.