Book a Demo
Demo Centre

Emma Woods

The 7 Things You Need To Include In Your Employee Cyber Security Policy

An organisations cyber security policy is the heart of the business. It should address all of the potential threats and the best practices for controlling the cyber security threats.

Close up of a man using a laptop and inserting code

To help you get started with your employee cyber security policy here are the 7 things you need to include:

#1 Handling Data

The majority of employees in your business will have access to some form of data. With sensitive data, it is best to limit access to your employee’s on a “need to know” basis.

There are a few steps to take when handling sensitive data: 

  • Confidential documents should be stored in a secure manner
  • Use confidential waste bin and shredders
  • Strong use of passwords
  • Limit access to documents

Criminals are after sensitive data such as credit card details, passwords, customer data and social security numbers. When this information is being sent outside of the organisations it is important that your employees understand that they cannot simply send information via email.

A secure file transfer system needs to be in place, the system will encrypt the information and will only allow authorised recipients to have access to it.

With GDPR now in place data security is crucial for any business to understand and follow the rights of personal data. Here is a brief overview of the 8 basic rights of GDPR:

1. The right to access-  Any individual has the right to request access to their personal data, ask how their data is used by the company.

2. The right to be forgotten-  If an individual is no longer a customer or an employee they have the right to withdraw their consent from the company.

3. The right to data portability-  An individual has the right to transfer their own data from one service provider to another one.

4. The right to be informed- Consumers can opt in if they want their data to be gathered and their consent must be given freely.

5. The right to have information corrected- This allows any individual to have their own data updated if it is out of date or incorrect.

6. The right to restrict processingIndividuals can request that their data is not used for processing.

7. The right to object-  An individual can stop the processing of their data for direct marketing. (There are no exemptions to this rule).

8. The right to be notified-  If a data breach occurred and an individuals data was compromised, the individual need to informed within 72 hours of first becoming aware of the data breach.

For a more detailed explanation of the GDPR rights visit

Data is an important part of any businesses making sure your employees understand how to handle and process data is extremely important and should be a priority in your employee cyber security policy.

GDPR blue banner

2# Password Security  

Passwords can make or break a companies security system. Your policy needs to include guidelines on the password best practices, such as keeping passwords safe, having strong passwords and updating them on a regular basis.

Here are a few password tips to implement in your cyber security policy:


  • Enable the passwords must meet complexity requirements policy, will allow you to go beyond the basic password account policies.

  • Enable a password audit policy, this will allow you to track all password changes.

  • Create an email notification prior to password expiry reminding your end- users when it’s time to update their passwords (on all of their accounts, not just their email).

  • Your policy should also emphasise the point of never writing down passwords, this opens up the opportunity for insider attacks to occur from malicious employees.


Authentication has been proven to strengthen a companies security firewall, even using it on personal devices is just as beneficial, after all we all have private data that we don't want everyone accessing.

There are three different types of authentication:

  • Something you have: A phone, a credit card, a fob key.

  • Something you know: A pin code, a password, a username.

  • Something you are: A bio-metric such as a fingerprint, a retina scan, a voice command.


close up of a black and white keyboard

3# Cyber Security Awareness Training 

 Whether or not you already have some form of security awareness training in place, it is crucial for employees to be educated consistently, Most companies do the bare minimum when it comes to security awareness. One classroom session a year and the odd poster around the office will simply not cut it. 

Cyber criminals have changed their methods and are now targeting employees. You no longer have to be able to hack your way into a device to access its data.

Using methods of social engineering criminals can now emotionally manipulate people to access their data and money.

Similar Read: A short guide on the threat of employee social engineering.

Every employee has different strengths and weaknesses when it comes to identifying and preventing cyber attacks. A good security awareness program will tailor its's training to each employee and locate any knowledge gaps in the process and educate them using bite-size modules to keep a higher retention rate.

The ideal Security Awareness Platform should:

  • Develop a security-focused culture

  • Empower your employees

  • Protect assets

  • Prevent downtime

  • Increase adoption

  • Institute proactive practices

  • Collect risks data by driving awareness

  • Get all employees on the same page

 4# Continual Backups and Updates

Data loss can happen to anyone. Having a backup plan can help you to avoid losing your data. Backing up your data should be a crucial part of your cyber security policy after all data is the heart of any company.

Why is it so important to back up your files?

Without a backup plan, your business can suffer from permanent data loss, as well a destroyed reputation. Remember, all data is a target, no matter your role, or which company you work for, your data will always be vulnerable to cyber criminals.

More often than not human error and hardware malfunction can be the cause of data loss, both of these are hard to prevent and manage. If you do lose your data without a recovery option, then you’ll be forced to start over again with your data. However, bear in mind that some data cannot be recovered … at all.

Where should you back up your data?

There are many forms of storage mediums where you can back up your data. Choosing the correct media can depend on several factors, such as the size of the backup, the complexity, the budget and the portability.

Here are a few types of storage mediums to use when backing up your data:

  • External hard drives

  • Disks (CD, DVD,Blu ray)

  • USB flash drives

  • Cloud backup

As well as backing up your data, keeping your software up to date is equally important. Here are the most important reasons to keep your software up to date:

Security- Your software isn't the only thing that gets updated over time. It's important to update your software on a regular basis because every new version comes with security upgrades that will prepare your system for an encounter with new cyber threats.

There is a special connection between hardware and software and by upgrading the latter each time you have a better chance of protecting yourself. The hardware on your device will not run as smoothly or efficiently when it is operating on old software.

Free 2019 Information Security Awareness and GDPR Posters

5# Phishing awareness

Phishing is the most common form of a cyber attack, it targets end users every day and has a very high success rate.

Email is an essential part of an employee's everyday communications. It is also a hackers favourite method to gain access to sensitive data. Phishing awareness is crucial for any business, as its the most successful threat your employees need to understand:

  • The common types of phishing emails

  • How to spot them

  • How to mitigate the risk of phishing 

  • How to report a phishing email

Phishing comes in many forms and has a variety of targets, your employees need to understand the common types of phishing such as smishing, vishing and spear phishing, there are 27 different types of phishing, some are more common than others, here is our blog on the 27 different types of phishing.

As well as knowing the common types of phishing emails, it's crucial to know how to spot them. There are a few warning signs to look out for: 

  • Sense of urgency
  • impersonal
  • grammar and spelling mistakes
  • fake email address
  • fake company
  • out of the blue 

There is no simple way to control the threat of phishing. After all phishing comes in many forms and targets a variety of people. The best place to start is making sure your end users are educated. This can be done with a good security awareness platform, finding the right security awareness platform can be difficult here is a detailed guide to help the right security awareness platform for you and your employees.

As well as SAT training, phishing simulations should be ran regularly in your business, running simulations will bring reality to your employees and create a strong mindset to tackling phishing emails.

Phishing simulations will allow you to control the type of campaigns that are sent to your end users, you can also track the open and click rates of each campaign. Overtime you will see a decrease in clicks and engagement on the phishing campaigns and an increase employees reporting the phishing emails.


BYOD is becoming very common for businesses to use, there's no denying it brings many benefits to the business and individual. If you choose to implement it into your business you and your employees need to understand the potential risks that can occur.

Security is the most common concern for BYOD. When a company's data moves around the organisation it becomes more difficult to manage and protect. If you want to regain control over BYOD security in your business, your cyber security policy needs to cover every aspect of BYOD and its effect on your business.

Here are some great tips of what to include in your BYOD policy:

Everyone should be involved in the policy- make sure everyone understands the requirements and is happy with them

Adjust the policy to suit you and your employee-  What works for one company might not work for another. Your policy should be tailored to your employee's needs without compromising your data security.

Create a list of devices that can be used for BYOD - Bare in mind, not every device out there is suitable for work purposes. As well as the recommended BYOD devices to use it is important that your policy covers the security requirements that employees need to use on all of their devices such as:

  • Software updates
  • Regular password changes 
  • Regular backups
  • Avoid public WiFi

7# Safe Use of Social Media 

Social media has grown its users over such a short space of time. Businesses and consumers use it constantly, whether its for promotion or personal use, its users still continue to grow daily. However, with the increase of users, this only opens up more opportunities for cyber attacks to occur.

Social engineers love social media, simply because of how impatient and over curious people can be. A lot of people will share every little detail that occurs in their daily life, regardless of whether people are interested or not.

This only opens up opportunities for a social engineer to use this information about the individual. Employees need to be careful what information they are putting out there for everyone to see. Whether its a location, business email or financial information. 

Does my company really need a social media policy?

In short- yes.

At the very least your cyber security policy should inform your employees of the best practices and precautions to take when using social media in the workplace. It's quite common for organisations to wait until they've faced a PR disaster before they decide to put a policy in place.  

Here are a few things to include in your policy:

  • What information should and should not be posted online

  • What security should be used on social media accounts

  • Industry standards and regulations

  • Expectations for behaviour online


Creating the ideal cyber security awareness policy can be difficult. Your policy should be tailored to your business and its employees. Before enrolling your cyber security policy it is a good idea to communicate to your employees that the policy is being put in place and make sure they are all on the same page and understand the requirements of the policy.

A cyber security policy is only as effective as the degree to which it is practised with your business. Therefore, a good policy is one which is understood and accepted by all employees. Including everything from the list above will help you to keep up with regulations and have a strong security culture in your business.


Read next

Subscribe now and get notified of new posts on the usecure blog