A cyber security policy is one of the most practical things your business can put in place today. Without one, your staff have no clear rules to follow, and if something goes wrong, there’s no agreed plan for dealing with it. This guide walks you through what a policy should include and how to build one from scratch.
Why So Many UK Businesses Still Don’t Have One
According to the National Cyber Security Centre, 1 in 2 small organisations in the UK suffer a cyber incident every year. That’s not a fringe risk. It happens to businesses of every size and sector, every single day.
Yet the government’s own Cyber Security Breaches Survey 2025/2026 found that only 52% of small businesses have a formal cyber security policy. That’s down from 59% the previous year. Nearly half of all small UK businesses have nothing written down at all.
Most owners assume a policy is complicated or time-consuming to put together. Others think it’s something only larger companies need. Neither is true. A clear, practical policy can be written in a few hours, and it could protect your business from serious damage.
What Is a Cyber Security Policy?
A cyber security policy is a written document that sets out the rules your business follows to protect its systems, data, and people from online threats. It tells your team what they can and can’t do, who’s responsible for security decisions, and what to do if something goes wrong.
It’s not a technical manual. It’s a set of plain-language guidelines that anyone in your business can understand and follow, whether they’re a new starter or a director.
What Your Policy Should Cover
There’s no single template that works for every business. But there are areas every UK business should address.
Passwords and Account Access
Set clear rules around how passwords are created and managed. Staff should use strong, unique passwords for every account, and a password manager makes this practical. Two-factor authentication (2FA) should be required across all business accounts, particularly email, cloud storage, and financial systems. The Cyber Security Breaches Survey 2025/2026 found that only 47% of UK businesses require 2FA. That number needs to be higher.
Devices and Access Controls
Decide which devices are approved for business use and whether personal phones or laptops can access company systems. Not every member of staff needs access to every file or system. Your policy should restrict access to what each person genuinely needs for their role.
Email and Phishing
Phishing remains the most common cyber threat facing UK businesses, experienced by 38% of businesses in the past year according to the Cyber Security Breaches Survey 2025/2026. Your policy should tell staff how to recognise a suspicious email, what to do if they receive one, and how to report it internally.
Software Updates
Outdated software is one of the most common ways attackers get into business systems. Your policy should state that all devices must have software kept up to date, and that automatic updates should be turned on wherever possible.
Data Handling
Where does your business store customer records, financial information, and other sensitive files? Your policy should set out how this data is stored, who can access it, and how it should be shared. This ties directly to your obligations under UK GDPR.
Incident Response
What happens when something goes wrong? Your policy needs a basic incident response plan: who to contact first, what steps to take, and when you need to report a breach to the Information Commissioner’s Office (ICO). Under UK GDPR, certain data breaches must be reported to the ICO within 72 hours.
Acceptable Use
What can your team do on company devices? This section should cover personal internet browsing, social media during work hours, software downloads, and the use of USB drives or external storage.
How to Write Your Cyber Security Policy
Step 1: List What You’re Protecting
Start by writing down your business’s key assets: customer data, financial records, emails, cloud accounts, devices, and the systems your business relies on day-to-day. You can’t protect what you haven’t identified.
Step 2: Think Through the Risks
Consider the threats your business realistically faces. Phishing is the most likely. But also think about weak passwords, lost or stolen laptops, and unauthorised access to shared files. A risk assessment doesn’t need to be lengthy. Just note the threat, how likely it is, and what the impact would be if it happened.
Step 3: Write the Rules in Plain English
Turn your risk assessment into clear, practical guidelines. If a sentence needs reading twice to make sense, rewrite it. The goal is a policy your team will actually follow because it’s written in language they understand.
Step 4: Get Sign-Off at Senior Level
Your policy needs backing from the top. The Cyber Security Breaches Survey 2025/2026 found that cyber security is a high priority for senior management in 72% of UK businesses. When leadership takes it seriously, staff follow. Have a director or senior manager formally sign off before the policy is shared.
Step 5: Brief Your Team
A policy nobody’s read is useless. Share it with your whole team and run a short session to walk through the key points. Make sure new starters receive a copy as part of their induction.
Step 6: Review It Every Year
Threats change. Your business changes. Your policy should be reviewed at least once a year, and whenever there’s a major shift in how you operate. Put a review date in the calendar now, before you forget.
What Happens Without a Policy?
Without a written policy, your staff have no agreed rules to follow. One person might share passwords over email. Another might use an unsecured personal device to access company files. A third might not know they’re supposed to report a suspicious email at all.
These aren’t theoretical risks. The Cyber Security Breaches Survey 2025/2026 found that staff errors and lack of awareness were recurring factors in breaches that caused real damage. A written policy won’t guarantee you’ll never be attacked, but it cuts your exposure and gives your business a better chance of containing any incident quickly.
When to Bring in Outside Help
Writing a cyber security policy is something most businesses can do themselves, using guidance from the NCSC’s small organisations guide to cyber security. Putting the right technical controls in place is a different matter.
If your business doesn’t have in-house IT expertise, a managed IT support provider can carry out a cyber security assessment, identify your biggest risks, and make sure the controls your policy describes are actually active. That means setting up 2FA, managing access rights, keeping software patched, and monitoring your systems so threats are spotted before they cause damage.
UK IT Services helps businesses across the UK put proper cyber security measures in place. If you need ongoing managed IT support to back your policy up with real protection, get in touch and we’ll talk through what your business needs.
Frequently Asked Questions
Is a cyber security policy a legal requirement for UK businesses?
There’s no specific law requiring a document called a “cyber security policy.” However, under UK GDPR, organisations that handle personal data must take appropriate technical and organisational measures to protect it. A written policy is one of the key ways to show you’re meeting that obligation. The ICO can investigate and fine businesses that fail to protect personal data adequately.
How long should a cyber security policy be?
There’s no set length. A policy for a five-person business will look very different from one covering a team of 200. What matters is that it addresses the right areas clearly. Most small business policies run to between two and five pages. Long enough to be useful, short enough that people will read it.
Does a cyber security policy cover GDPR?
Your cyber security policy and your GDPR obligations overlap considerably. Your policy should address how personal data is stored, who can access it, and what to do in the event of a breach. But a cyber security policy alone doesn’t make you fully GDPR compliant. You’ll also need a privacy notice, data retention rules, and records of processing activities.
What’s the difference between a cyber security policy and an IT policy?
An IT policy covers how your team uses technology in general, including acceptable use, device rules, and software. A cyber security policy focuses specifically on protecting your business from threats and data breaches. In many smaller businesses, these are combined into a single document.
How do I get my team to take the policy seriously?
The two most effective things you can do are regular training and a clear lead from the top. When directors and managers treat cyber security as a priority, staff follow. Short training sessions, easy access to the policy, and clear reporting channels all help. Some businesses also include cyber security awareness in annual performance reviews.
The Bottom Line
Your cyber security policy doesn’t need to be perfect before you share it. A clear, practical document your staff can read and follow is worth far more than a polished policy sitting in a folder that nobody opens.
Start with the basics: passwords, device access, data handling, phishing awareness, and what to do if something goes wrong. Review it once a year. Update it when your business changes.
If you’d like professional help putting the right controls in place alongside your policy, UK IT Services provides cyber security support and IT support for small businesses across the UK. Get in touch to find out how we can help protect your business.