Cyber attacks on UK businesses are not slowing down. The 2024 Cyber Security Breaches Survey found that 50% of UK businesses experienced a cyber security breach or attack in the previous 12 months. Yet many businesses still operate without a formal cyber security policy — leaving staff without guidance and the business exposed to unnecessary risk.
This guide explains what a cyber security policy is, what it must include, your legal obligations under UK law, and how to structure one that actually works for your team.
What Is a Cyber Security Policy?
A cyber security policy is a formal document that sets out how your business protects its data, systems, and people from cyber threats. It tells staff what they are and are not allowed to do with company devices and data, who is responsible for security decisions, and what to do when something goes wrong.
A policy is not the same as a technical control. Firewalls and antivirus software are technical controls. A policy is the written rule that says why those controls exist, who oversees them, and what happens if someone bypasses them.
Why Does Your Business Need One?
There are three clear reasons every UK business needs a cyber security policy.
1. Legal Obligations Under UK GDPR
If your business handles personal data — and almost every business does — you are required under UK GDPR (Article 32) to implement “appropriate technical and organisational measures” to protect that data. A documented cyber security policy is one of those organisational measures. Without one, you have no evidence that you have fulfilled this obligation.
The ICO can issue fines of up to £17.5 million or 4% of annual global turnover (whichever is higher) for serious breaches. Having no policy in place when a breach occurs makes it significantly harder to demonstrate that you took your obligations seriously.
2. Cyber Essentials Certification
Cyber Essentials is a UK government-backed certification scheme designed to protect businesses against the most common cyber attacks. To achieve certification, you need to be able to demonstrate that your business has policies and controls in place covering five key areas: firewalls, secure configuration, user access control, malware protection, and patch management.
Many public sector contracts now require Cyber Essentials as a minimum. If you want to work with the NHS, MOD, or any government department, certification is often mandatory. A formal cyber security policy is the foundation you need before you can pass the assessment.
3. Human Error Remains the Biggest Risk
According to IBM’s annual Cost of a Data Breach Report, human error is involved in 95% of cyber security incidents. Phishing emails, weak passwords, lost laptops, and staff clicking on malicious links are behind the majority of successful attacks. No amount of technical security can fully compensate for staff who do not know what is expected of them.
A cyber security policy gives your staff clear, documented guidance. It removes ambiguity and gives managers the ability to enforce standards consistently.
What Should a Cyber Security Policy Include?
A practical cyber security policy for a UK small or medium business should cover the following sections.
Password Policy
Set minimum password requirements: length (14 characters or more), complexity, and rotation rules. Specify that passwords must not be reused across accounts, must not be written down or shared, and that a business-approved password manager should be used. State that multi-factor authentication (MFA) is mandatory for all systems that support it, especially email and cloud storage.
Acceptable Use Policy
Define what staff can and cannot do with company devices and accounts. Cover personal use of work devices, downloading software, connecting to public Wi-Fi, and storing company data on personal devices or unapproved cloud services. Be specific about what is prohibited — vague policies are hard to enforce.
Data Classification and Handling
Not all data carries the same risk. Define categories (for example: public, internal, confidential, restricted) and state how each should be stored, shared, and disposed of. Specify that confidential data should not be sent via unencrypted email, shared via personal accounts, or stored on unencrypted USB drives.
Device and Remote Working Policy
With hybrid and remote working now the norm, device security is critical. Require full disk encryption on all laptops (BitLocker on Windows, FileVault on Mac). Mandate screen lock after a short period of inactivity. Prohibit leaving devices unattended in public. Set out what happens if a device is lost or stolen, including who to notify and whether remote wipe is in place.
Email and Phishing Awareness
Email remains the number one attack vector. Your policy should include guidance on recognising phishing attempts, verifying unexpected requests for payments or data, and what to do if a suspicious email is received. State that staff should never click links in unexpected emails without verifying the sender through a separate channel.
Software and Patch Management
Unpatched software is one of the most exploited attack vectors in ransomware campaigns. Your policy should require that operating systems and applications are kept up to date, that staff do not delay or dismiss update prompts, and that only approved software is installed. Define who is responsible for overseeing patch compliance.
Incident Response Procedure
Every policy must include a clear incident response section. If a breach occurs, who do staff notify and how quickly? Who is the internal point of contact? When does the ICO need to be notified (within 72 hours of discovering a personal data breach under UK GDPR)? What evidence should be preserved? Having this documented in advance means staff are not making it up under pressure.
Third-Party and Supply Chain Access
Many breaches now originate through third-party suppliers. Your policy should specify what access contractors and third parties are permitted, require that suppliers meet minimum security standards, and state that access should be revoked immediately when a supplier relationship ends.
Staff Training: Policies Only Work If People Know About Them
Writing a policy and filing it away achieves nothing. Staff need to be aware of it, understand it, and sign to confirm they have read it. Best practice is to:
- Introduce the policy as part of onboarding for all new staff
- Require staff to re-read and re-sign the policy annually
- Run phishing simulation exercises at least twice a year
- Hold a short annual security awareness session — 30 minutes is enough to cover the basics
- Make the policy easy to find — it should not be buried in a shared drive folder nobody uses
Free training resources are available from the NCSC (National Cyber Security Centre) via their Cyber Aware programme, including e-learning modules suitable for non-technical staff.
How Long Should a Cyber Security Policy Be?
For most SMBs, a practical and enforceable cyber security policy will be 3–8 pages. It does not need to be an enterprise-level 40-page document. What matters is that it is clear, specific, and actually used.
Avoid the temptation to copy-paste a generic template without adapting it. A policy that references systems you do not use, or uses language your staff will not understand, will be ignored. Write it in plain English and tailor it to how your business actually operates.
Reviewing and Updating Your Policy
Cyber threats evolve constantly. A policy written in 2020 and never updated is likely to be missing guidance on cloud storage, AI tools, hybrid working, and modern ransomware tactics. Review and update your policy at least annually, and whenever there is a significant change to your business systems or working practices.
The review should be signed off by a director or senior manager — not left to IT alone. Cyber security is a board-level responsibility, and your policy should reflect that.
Where to Start
If your business does not have a cyber security policy, start with the NCSC’s Small Business Guide — it covers the five most important areas in straightforward language. The NCSC also provides a free Cyber Essentials self-assessment tool that will identify gaps in your current security posture.
For businesses that want external help, a certified Cyber Essentials assessor can work with you to build a policy that meets certification requirements. The cost of certification (from around £300 for Cyber Essentials basic) is modest compared to the average cost of a data breach, which Hiscox puts at over £25,000 for UK SMBs.
