Network security
Hangaia tētahi kaupapahere haumarutanga tuihono mā tō pakihi

Create an online security policy for your business

All businesses should have an online security policy so your staff know how it fits into their work, and customers know how you protect their information.

6 min read

What it is

An online security policy should list all the things your business will do with regards to online security. All businesses should have one, no matter how big or small. It will help:

  • your team understand how online security fits into your day-to-day work
  • your customers know how you’ll look after the data they share with you.

You’ll need to create an internal version for your staff, and an external version for your customers.

  • An internal policy is more detailed than the external, and shouldn’t be available publicly. It explains what your internal processes are such as who does what in the team, and what they’re responsible for and may include sensitive information that you don’t want to make public, like password requirements.
  • The external policy is for your customers and should be available publicly like on your website. It can be more of a 'light touch' policy compared to the internal version. It’ll cover things like how you’ll treat your users’ data, and what you’ll do if something goes wrong.

Having an online security policy available on your website can also be helpful if someone finds a bug or vulnerability in the site. If they want to report it to you, it’ll let them know how to contact you and what you’ll do with their report.

The policy needs to be specific to your business, and based on the kind of services you provide. For example, if your customers provide you with personal information like their bank account details you need to think about what you’ll do to protect that data, and document it in your cyber security policy. 

Why it matters

Having a policy in place will mean that:

  • you’re prepared for questions about online security (from both your customers and your staff)
  • you and your staff will know who’s responsible for what
  • you’ll have identified the risks for your business, and defined mitigations for them
  • you’ll be ready in the event of a security incident.

What goes into your internal policy

Break your internal policy down into different areas.

Data

This should cover how you handle data safely and securely – both your business’s data and your customers’. Think about:

  • what information you need to collect
  • where you’ll store it (locally or in the cloud)
  • how to protect it, for example encrypting both data at-rest (when stored) and in-transit (when communicating) 
  • how often you’ll back it up, and who’s responsible for doing backups.

Backups for your business

Keeping business data safe with encryption

Systems

Identify what systems you have, and which ones are critical to your work. Consider:

  • setting some rules around updating, or patching, your systems how to make sure they’re done regularly and who’s responsible for making sure it happens
  • what systems your staff can use, including any cloud applications or software running inside your business’s network
  • how much access your staff need to your systems. They should only have the minimum level of access they need to do their job. This is what’s called the 'principle of least privilege'.

Patching advice for IT staff – CERT NZ

Principle of least privilege – CERT NZ

Security and protection

Security and protection covers how your staff and customers access your systems and data. It means thinking about:

  • how they can access your systems. For example, your staff may want to work remotely. They should do this by using secure tools, like VPN (virtual private network) with two-factor authentication (2FA)
  • how they authenticate themselves on your system, including your password policy and use of 2FA
  • what devices your staff can use at work – whether they can use personal devices for work, or if you’ll provide devices to them.

Create a password policy for your business

Protect your business with two-factor authentication (2FA)

People and users

Consider what is acceptable use of your business’s systems. How do you expect your staff and your customers to interact with them? Be clear about:

  • what their responsibilities are
  • what kind of things they should report to you
  • how you expect them to take ownership of their accounts and their devices.

Physical devices and systems

When you think about protecting your business’s devices and systems, make sure you cover both:

  • protection against loss – if something is stolen, and
  • protection against the environment – for example, if your business is flooded during a storm and your devices are water damaged.

You can set rules around how your staff can protect their devices against theft by defining guidelines for their use. For example, you can require all staff to:

  • have strong passwords on their devices
  • use device encryption
  • follow any rules about using devices outside the office.

Problems and incidents

You’ll need to define what you and your team will do when things go wrong. Set up logs to help monitor any unusual network events, and create an incident response plan to map out what you’ll do during, and after, a security incident. 

Set up logs and monitoring for your website

Online security risk assessments for business

What goes into your external policy

The external version of your policy should only give your customers an overview of each of these things. Don't reveal any sensitive business information in it, like details of the technology you use.

The external policy should:

  • explain how you’ll protect customer data. This could mean making sure you encrypt their data, back up their data, and define how long you’ll hold it for
  • include making a security policy that’s available for them to view on your website, for example. CERT NZ’s privacy and information statement includes details of our security policy. It’s a useful example of how you can show this kind of information on your website
  • show how you’ll receive and manage any customer information securely – for example, by collecting information over HTTPS, and keeping it encrypted when you store it in the database
  • describe how you’ll notify your customers of any problems that could affect them
  • have a way for people to notify you of security problems. This could be used by customers when they notice bugs in your systems.

Own Your Online privacy and information statement

Implementing your cyber security policy

Don't just create a policy then never look at it again. Embed your security policies into:

  • your day-to-day work
  • the culture of your company
  • how you manage your staff, and
  • how you treat your customers.

That means you’ll need to instil the principles behind the policy in your staff too. Let them know they can ask questions about it, so they understand:

  • the risks you face as a business, and
  • the reasoning behind the policy decisions you’ve made.

If you need some help putting a cyber security policy together for your business, talk to your IT service provider. They can work through what to cover in the policy with you.