Policies play an essential role in coporate governance – even for SMBs
One of the topics I’ve always been interested in is how we can uplift the resilience of Small and Medium Sized Businesses (SMBs). Whilst SMBs are the engine rooms of our economy, they typically have immature information security and fraud protection capabilities despite facing the same threats as large organisations. In fact, the 2020 Australian Cyber Security Centre (ACSC) survey showed that 65% of Australian SMBs surveyed spend less than A$999.00 on their security! It’s no wonder they fall victim to phishing, ransomware, data breaches and other exploits. Like having a good security culture, and tone from the top, policies are another essential.
OK, so the topic of policies can be quite dry – many of us don’t get excited by reading our company policies (some of us might even fall asleep), but they play a key role in setting expectations for staff, customers and suppliers. Corporate Governance is all about how businesses are organised, managed and governed, and comprises the principles, practices and structures that help inform decisions, operations, and conduct.
Policies are formal statements that outline guidelines, principles or rules governing the behaviour, actions and decisions of staff and management within an organisation. Whilst SMBs don’t need a comprehensive policy library like you would find in an ASX100 company, there are a few security policies which are essential.
What are the main security policies every SMB should have?
When it comes to security policies for small to medium-sized businesses (SMBs), there are several key ones that can make a significant impact – see below for details:
- Information Security Policy: This policy establishes guidelines for protecting sensitive information, data, and assets. It covers data classification, access controls, encryption, password standards, and safe data disposal.
- Acceptable Use Policy: This outlines how employees can use company resources like computers, networks, and the internet. It helps prevent misuse and establishes boundaries to ensure productive and secure usage.
- BYOD (Bring Your Own Device) Policy: As remote work becomes more common, this policy addresses the use of personal devices for work purposes. It should outline security requirements for these devices to ensure they don’t compromise sensitive data.
- Incident Management Policy: This policy should address what to do in relation to a broad range of incidents, such as cyberattacks, natural disasters, and equipment failures. It outlines how to respond promptly and effectively to minimise disruptions.
- Remote Work Policy: With the rise of remote work, this policy addresses the security measures needed for employees working outside the office. It should cover secure connections, data storage, and device security.
- Access Control Policy: This policy defines who has access to what data and systems. Implementing least privilege principles ensures that employees only have the access necessary for their roles.
Additional policies, covering topics such as physical security and vendor / third party security standards may also be appropriate, complementing your business’ employment, code of conduct, and other workplace policies.
Start as you mean to finish
When running any business, there is always so many things to do. Marketing, sales, customer engagement, product – the list goes on. Governance and Risk Management often take a bit of a back seat, especially in smaller organisations, and typically only become more important as organisations grow and management has time to focus on these issues. However, policies and risk management are one of those things that really needs to be considered earlier for three reasons:
- Policies – even simple ones – add value to a business by improving governance, ensuring staff adopt the desired behaviours, and improved management outcomes
- Provide clear and constistent advice to staff around BYOD and Remote Working – data loss and data breaches are becoming an increasingly common occurence, and remote working and BYOD arrangements are a key vulnerability. Whilst technical controls are available to mitigate some risks, a policy that clearly sets out what is expected of staff and in which circumstances is essential to manage risk.
- Well-governed suppliers are more attractive to buyers – due to their size, SMBs are unlikely to have robust supplier assurance programs which contractually oblige suppliers to meet certain standards, but they are likely to sell their products or services to larger companies. Having good governance and standards in place demonstrates a degree reliability, quality and integrity which suppliers can put faith in and might just win you that next contract!
- Australian Cyber Security Centre (2020). Australian Cyber Security Centre (ACSC) survey, https://www.cyber.gov.au/
- Australian Cyber Security Centre (2023). Small Business Cyber Security Guide, https://www.cyber.gov.au/
- Curwell, P. (2023). 6 steps to improving security and integrity culture in the workplace
- Curwell, P. (2022). Building your supplier integrity framework
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.