Published on 13/08/2019 by Any Business.Com.Au

The Threat is Real: Cyber Crime and Small Business Part 3

Creating a cyber security policy for your business

A cyber security policy outlines the assets you need to protect, the threats to those assets and the rules and controls for protecting them and your business. The policy should inform your employees and approved users of their responsibilities to protect the technology and information assets of your business. Some of the issues the policy should cover are:

• the type of business information that can be shared and where
• acceptable use of devices and online materials
• handling and storage of sensitive material.

Businesses who don't have a cyber security policy in place could be leaving themselves open to attacks and legal issues.

Quick tips on what to include in your cyber security policies

You should develop, review and maintain your cyber security policy on a regular basis. The policy needs to outline which systems you need to protect critical data against attacks and who is responsible for protecting it.

A cyber security policy should include guidelines on:

• Password requirements

  • how to store passwords correctly
  • how often you need to update them
  • the importance of having unique passwords for different logins.

• Email standards

  • when it's appropriate to share your work email address
  • only opening email attachments from trusted contacts and businesses
  • how to block junk, spam and scam emails
  • deleting and reporting suspicious looking emails.

• Handling of sensitive data

  • when you can share sensitive data with others
  • storing physical files in a locked room or draw
  • properly identifying sensitive data
  • destroying any sensitive data when it is no longer required.

• Locking computers and devices

  • when to physically shut down computers and mobile devices when they aren't in use
  • locking screens when they are left unattended.

• Handling of removable devices

  • how to protect data stored on removable devices like USB sticks
  • restricting the use of removable devices to prevent malware from being installed
  • scanning all removable devices for viruses before they are justified to connect to your business systems.

• Handling of technology

  • where employees can access their devices such as a business laptop away from the workplace
  • how to store devices when they aren't in use
  • how to report a theft or loss of a work device
  • how system updates such as IT patches and spam filter updates will be rolled out to employee devices.

• Social media and internet access standards

  • what is appropriate business information to share on social media channels
  • which channels and newsletters are appropriate for employees to sign when using their work email account
  • guidelines around which websites and social media channels are appropriate to access during work hours.

• Managing incidents

  • how to respond to a cyber incident
  • what actions to take
  • the roles and responsibilities on how to deal with the cyber attack.

Prepare a cyber security incident response plan

You have legal responsibilities as a business owner to protect your business and ensure that your business and customer information is safe. Think about the information that you store online, and what it would mean if the information is lost or stolen?

Unfortunately, you cannot predict when a cyber-attack will occur and what it might involve. If a cyber security incident occurs, you should minimise the impact and get back to business as soon as possible.

A cyber security incident response plan will help you and your business prepare for and respond to an incident fast and effectively.

What is an incident response?

An incident response is how you protect and restore the operation of your business when a cyber incident occurs. If you don't deal with an incident quickly you could expose your business to major disruption and legal issues.

It's critical that you and your employees understand the basics of detecting and responding to a cyber security incident. A cyber security incident response management plan can help you do this.

What is a cyber security incident response plan?

A cyber security incident response management plan is a guide that outlines the steps to manage a cyber security incident. The plan should help you and your employees detect incidents quickly, lessen the impact, and return your business to normal as soon as possible. The plan should set out the process of:

• preparing for a cyber incident
• detecting the threat
• assessing the level of threat and impact
• responding to the level of threat
• reviewing the process and improving the incident plan if needed.

Tips on how to prepare and respond to cyber security incidents

Prepare and prevent

Prepare your business and employees to be ready to handle potential cyber incidents that may arise.

• Develop policies and procedures to help employees understand how to prevent an attack and to identify potential security incidents.
• Identify the financial and information assets that are important to your business and technology that you rely on.
• Consider the risks to these systems and the steps you and your employees need to take to lessen the effects or damage to your business.
• Create roles and responsibilities so that everyone understands who to report to if an incident occurs and the recovery procedures that follow.

Check and detect

Check and identify any unusual activity events that may damage your business' information assets and systems. Unusual activity may include:

• accounts and your network cannot be accessed
• passwords no longer work
• data is missing or altered
• your hard drive runs out of memory
• your computer keeps crashing
• your customers receive spam from your business account
• you receive numerous pop-up ads.

If you see a security incident, document any evidence and report it to your IT section, a team member or a government body such as the Australian Cybercrime Online Reporting Network.

Identify and assess

• Find the initial cause of the incident and assess the impact so that you can contain it quickly.
• Determine the impact the cyber incident has had on your business and the effects to your business and assets if not immediately contained.

Respond

• Limit further damage of the cyber incident by isolating the affected systems. If necessary, disconnect from the network and turn off your computer to stop the threat from spreading.
• Eliminate the problem with the removal of the threat.
• Recover from the incident by repairing and restoring your systems to business as usual.

Review

• Identify if any systems and / or processes need improving and make those changes.
• Evaluate how the incident before and after, and any lessons learnt.
• Update your cyber security incident response plan based on the lessons learnt so you can improve your business response.

Remember, the online security measures you take will help protect your business and your customers from existing and future threats.

AnyBusiness.com.au

Curtis is a leading expert in the business-for-sale industry, serving as a senior content creator at anybusiness.com.au.

With a career spanning over fifteen years, Curtis has accumulated extensive knowledge in the domain of business sales, acquisitions, and valuations. His deep understanding of market dynamics and his ability to translate complex industry jargon into accessible insights make him a trusted resource for entrepreneurs and business owners looking to buy or sell businesses.

Author profile

Related articles

The Importance of Integrating E-Commerce Regardless of What You're Selling

25/06/2025 by AnyBusiness.com.au

Running a small business has its challenges, but with advancements in technology, there are more opportunities to grow than ever before.Along with the emergence of AI, one powerful tool that has revolutionised how businesses operate is e-commerce. And it may not be as hard to integrate into your business as it sounds.If you're a small business owner and haven't yet fully embraced e-commerce, you're missing out on an incredi...