How to Create a Cybersecurity Policy for Your Small Business

1. Acceptable Use Policy (AUP)

What employees can and cannot do with company devices, accounts, and network access.

The AUP is the broadest policy in your library and typically the one employees encounter first during onboarding. It should address personal use limits on company-owned devices — how much is permissible, what categories are prohibited (gambling, adult content, piracy), and whether personal accounts can be accessed on company equipment. Specifically call out prohibited activities: downloading software not approved by IT, using personal cloud storage (Google Drive, Dropbox, iCloud) for company data, and visiting known-malicious categories of websites. Remote work device rules belong here as well — what happens to company data when an employee works from a personal laptop?

2. Password Policy

The minimum security standards for every credential used to access company systems, accounts, and data.

Modern password policy guidance from NIST SP 800-63B has evolved significantly. Length now matters more than complexity, but both are required in SMB environments where password managers are not yet universal. Specify a minimum of 14 characters. Require at least one uppercase letter, one number, and one special character. Prohibit reuse of the last 10 passwords. Require a password manager — IT Center provides one as part of the standard managed IT plan — so employees do not need to memorize unique complex passwords for every system. And put it in writing: credentials are never shared between users. Ever. Including between employees and IT staff.

3. Multi-Factor Authentication (MFA) Policy

The requirement for a second layer of verification before accessing any company account or system.

MFA must be mandatory — not optional, not encouraged — on all company email accounts, VPN connections, cloud applications (Microsoft 365, Google Workspace, accounting software, CRM), and financial portals. Your policy should specify the acceptable MFA methods: authenticator app (preferred), hardware security key (required for administrator accounts), or SMS one-time code (acceptable for standard users, prohibited for high-privilege access). The reason for prohibiting SMS-only on admin accounts is SIM-swapping — a social engineering attack against mobile carriers that allows an attacker to receive your SMS codes on a device they control. Authenticator apps and hardware keys are immune to SIM-swapping.

4. Remote Work and BYOD Policy

The security requirements for employees working outside the office or using personal devices to access company resources.

Remote work fundamentally changes the perimeter of your network — because there no longer is one. Your policy must require VPN for any remote access to corporate systems, internal file shares, or sensitive applications. Specify that only approved, IT-managed devices may access sensitive data categories (customer PII, financial records, attorney-client or HIPAA-covered information). For BYOD (Bring Your Own Device) arrangements, require Mobile Device Management (MDM) enrollment before the device is permitted any access — this gives IT the ability to remotely wipe company data from the device if it is lost, stolen, or the employee is terminated. Finally, prohibit the use of public WiFi networks without VPN. A coffee shop network is not a secure channel for your billing system.

5. Incident Response Policy

The documented procedure for detecting, reporting, escalating, and responding to a cybersecurity incident.

This policy answers the question every employee is afraid to ask: "What do I do if I think something went wrong?" It must specify the reporting chain with actual names, roles, and contact information. For IT Center-managed clients, the first call is always the IT Center service desk: [email protected] or (888) 221-0098. The policy must establish a reporting time window — we recommend within one hour of discovery for any suspected breach, not "when you get around to it." Delayed reporting dramatically worsens outcomes. Define the escalation chain: who is notified after the IT vendor, and in what order (CEO, legal counsel, insurance carrier). Specify the customer notification trigger — under California law, breach notification is required within 72 hours in most circumstances.

6. Data Classification Policy

A framework for categorizing company data by sensitivity level and specifying how each category must be stored, accessed, transmitted, and disposed of.

Use three tiers: Confidential (customer PII, social security numbers, payment card data, health information, passwords and credentials, financial account numbers, employee records), Internal (non-public business information that would cause harm if disclosed — contracts, strategy documents, internal communications, pricing data), and Public (marketing materials, published website content, press releases). For each tier, specify: where it may be stored (Confidential data may not be stored in personal cloud storage, ever), how it may be transmitted (Confidential data requires encrypted channels), who may access it (least-privilege basis), retention period (how long it is kept), and disposal method (secure deletion, shredding for physical records). Vague data handling is what turns a minor incident into a reportable breach.

7. Third-Party Vendor Policy

The process for evaluating, granting, managing, and revoking third-party access to company systems and data.

Your vendors represent attack surface you do not directly control. The 2020 SolarWinds compromise — which breached hundreds of organizations including federal agencies — entered through a trusted software vendor's update mechanism. Your policy must require: a signed Non-Disclosure Agreement (NDA) before any vendor accesses company data, documented business justification for each access grant, quarterly review of active vendor access with affirmative re-authorization (not passive continuation), and immediate revocation upon contract termination. For any vendor that touches health data on behalf of your organization, a Business Associate Agreement (BAA) is required under HIPAA — this is a hard legal requirement, not a best practice. The day after a vendor contract ends, their access keys, credentials, and VPN accounts are revoked. Not "when IT gets to it." The same day.

8. Social Engineering Awareness Policy

The behavioral rules that protect employees from manipulation-based attacks that bypass technical security controls entirely.

Technology stops known attacks. Social engineering exploits human psychology. This policy addresses the attack vectors that no firewall or EDR agent can block on its own. Core rules: passwords are never shared verbally over the phone — with anyone, including IT staff. IT Center will never call you and ask for your password. Ever. If someone claiming to be IT asks for your credentials, hang up and call back on a known number. Wire transfers and ACH payment changes must be verified by calling the requesting party back on a number you already have on file — never by replying to the email that requested the change. Business email compromise losses are almost entirely preventable by this one rule. All phishing emails — suspicious messages, unexpected attachments, login page redirects — must be reported to [email protected] within 30 minutes, even if the employee is not sure whether it is actually malicious. Report first, ask questions second.

Four Policy Mistakes That Guarantee Failure

1. Writing a 40-page policy no employee will read. Length is the enemy of compliance. If your policy cannot be read in under 20 minutes by a non-technical employee, it is too long. Use plain English. Use examples. Use bullet points. Save the technical depth for appendices that IT staff reference — not the main document your warehouse manager signs during onboarding.
2. Distributing the policy without training on it. Emailing a PDF and collecting a signature is not training. It is documentation that you gave someone a document. Real policy training means explaining what each rule means in practice, demonstrating the consequences of violations, and confirming comprehension. Annual training is the minimum cadence — IT Center includes policy training as part of onboarding and annual security awareness programs for managed clients.
3. No enforcement mechanism. A policy that lists prohibited behaviors but specifies no consequence for violations is not a policy — it is a suggestion. Every policy must reference the disciplinary process: first violation, second violation, and the conditions under which a violation constitutes grounds for immediate termination. HR must be involved in this language. The policy must be tied to the employee handbook.
4. Never revisiting it after it is written. A cybersecurity policy written in 2019 does not account for Microsoft 365 Copilot, AI-generated phishing emails, or the remote-work attack surface that became standard post-2020. Policies must be treated as living documents. Review triggers should include: annual calendar date, any security incident (regardless of severity), onboarding of a major new system or cloud platform, significant regulatory changes, and any change in workforce structure (major hiring, layoffs, acquisition).