📞 1800 526 269

Cyber Hygiene 101: Must-Have Policies for a Secure Workspace

Cyber security services in Australia

In today’s interconnected world, strong cybersecurity is not just for large corporations. Small to medium-sized businesses (SMBs) are increasingly targeted by cybercriminals, making robust cybersecurity policies for SMB absolutely essential. Without clear guidelines, your business is vulnerable. This guide will walk you through the crucial policies needed to establish a secure digital environment, safeguarding your assets and reputation.

Why Are Cybersecurity Policies Important?

Cybersecurity policies act as the backbone of your organisation’s defence strategy. They define acceptable behaviour, outline protective measures, and establish clear procedures for responding to security incidents. Think of them as your business’s digital rulebook, ensuring everyone understands their role in maintaining a secure workspace.

Recent statistics from the Australian Cyber Security Centre (ACSC) highlight the pressing need for strong cyber hygiene. In FY2023-24, the ACSC responded to over 1,100 cyber security incidents, with over 87,400 cybercrime reports received. The average self-reported cost of cybercrime for small businesses increased by 8% to $49,600, while medium businesses saw an average cost of $62,800. These figures underscore the significant financial and operational impact cyber incidents can have, especially on SMBs. Phishing, exploitation of public-facing applications, and brute-force activity were among the most common activity types leading to incidents in critical infrastructure. The Qantas data breach in July 2025, where customer booking details were exposed through a third-party platform, and the Marks & Spencer ransomware attack in April 2025, which reportedly originated through their IT helpdesk provider TCS, serve as stark reminders of how quickly a single vulnerability can escalate into a major crisis.

Aligning with a Cybersecurity Framework: SMB1001

To effectively implement cybersecurity policies for SMB, it’s smart to align with a recognised framework. For small to medium-sized organisations, the SMB1001 framework is an excellent choice. This multi-tiered standard, developed by Dynamic Standards International (DSI), removes the complexity often associated with larger enterprise frameworks. It offers a practical, cost-effective, and scalable solution, addressing the unique challenges faced by SMBs, including budget and resource constraints.

The SMB1001 framework has five tiers: Bronze, Silver, Gold, Platinum, and Diamond. For most SMBs, achieving SMB Gold certification covers the majority of necessary policies, providing a strong foundation for a secure workspace.

Essential Cybersecurity Policies for SMB (SMB Gold Aligned)

Implementing these policies is a critical step towards enhancing your organisation’s cyber resilience.

  • Cybersecurity Policy: This overarching policy defines your organisation’s commitment to cybersecurity, outlines roles and responsibilities, and sets the general principles for protecting information assets. It ensures a unified approach to security across the business.
  • Firewall Policy: This policy dictates the rules for network traffic, ensuring only authorised communication can enter or leave your network. It acts as a crucial barrier against external threats. Properly configured firewalls block malicious attempts, protecting your internal systems from unauthorised access.
  • Antivirus/Anti-Malware Policy: Every device used for business, including personal devices accessing company resources, must have up-to-date antivirus software. This policy ensures continuous scanning for and removal of malicious software like viruses, worms, and Trojans, which can compromise data and system integrity. Automatic updates are vital to combat emerging threats.
  • Software Update and Patch Management Policy: Regular software updates and patches are non-negotiable. This policy mandates that all operating systems, applications, and firmware are updated promptly to fix known vulnerabilities. Cybercriminals often exploit unpatched software, making timely updates a priority. Critical updates should be applied within 14 days.
  • Password Policy: Strong, unique passwords are your first line of defence. This policy requires employees to use complex passwords or passphrases that are regularly changed (at least annually). It also discourages password reuse across multiple platforms and recommends the use of a password manager for secure storage.
  • Access Control Policy: This policy defines who can access what information and systems. It ensures that employees only have access to the data necessary for their role, following the principle of least privilege. Unique usernames and passwords for each employee enhance accountability.
  • Multi-Factor Authentication (MFA) Policy: MFA adds an extra layer of security beyond just a password. This policy mandates MFA for all email accounts, business applications, cloud services, and any systems storing critical data. MFA significantly reduces the risk of unauthorised access, even if a password is compromised.
  • Backup and Recovery Policy: Data loss can be catastrophic. This policy outlines a comprehensive strategy for regularly backing up critical data and systems. It includes details on backup frequency (at least weekly), retention periods (minimum six months), and procedures for testing data recovery. Regular testing ensures you can restore operations quickly after an incident.
  • Confidentiality Agreement Policy: All employees should sign confidentiality agreements before commencing work. This policy establishes legal obligations regarding the protection of sensitive company and client information. It helps to prevent data leaks, whether accidental or malicious.
  • Incident Response Plan Policy: A robust incident response plan is crucial for minimising the damage from a cyberattack. This policy details the steps to take when a security incident occurs, including identification, containment, eradication, recovery, and post-incident analysis. It should include contact details for key personnel and relevant authorities like the Australian Federal Police.
  • Physical Security Policy: While digital policies are vital, physical security also plays a role. This policy covers measures to protect physical assets, such as restricted area access, visitor registers, and secure destruction of physical documents containing sensitive information.
  • Digital Asset Register Policy: Maintaining an accurate digital asset register is essential for effective cybersecurity. This policy requires a comprehensive record of all data locations, access permissions, and an annual audit to ensure its accuracy. Knowing where your sensitive data resides is the first step in protecting it.
  • Cybersecurity Awareness Training Policy: Technology alone isn’t enough. Human error remains a significant vulnerability. This policy mandates regular cybersecurity awareness training for all employees, covering common threats like phishing, social engineering, and the importance of reporting suspicious activity. Continuous training builds a strong security culture.
  • Policy to Prevent Invoice Fraud: Business Email Compromise (BEC) and invoice fraud are prevalent threats. This policy outlines procedures to verify payment requests and changes to banking details, helping to prevent financial losses due to fraudulent activities.
  • Invoice Use for Technology Policy: This specific policy ensures that all technology-related invoices and procurement processes adhere to strict security protocols. It helps prevent fraudulent tech-related purchases or services that could introduce vulnerabilities.

Combating Phishing: A Top Priority

Phishing remains the most common entry point for cyber breaches, with over 90% starting from a malicious email. Therefore, your efforts here should be relentless.

Your cyber awareness training must extensively cover all common phishing attacks, including:

  • Spear Phishing: Highly targeted attacks aimed at specific individuals, often using personal information to appear legitimate.
  • Whaling: A form of spear phishing targeting high-profile individuals like CEOs or executives.
  • Smishing (SMS Phishing): Phishing attempts delivered via text messages, often containing malicious links.
  • Vishing (Voice Phishing): Phishing attempts conducted over phone calls, where attackers try to trick victims into revealing sensitive information.
  • Clone Phishing: Attackers create a near-identical copy of a legitimate, previously delivered email, but with a malicious link or attachment.
  • Evil Twin Phishing: Setting up a fake Wi-Fi access point that mimics a legitimate one to intercept data.
  • QR Code Phishing (Quishing): A rapidly growing threat. Attackers embed malicious QR codes in emails or physical locations. When scanned, these codes redirect users to fake login pages or download malware. QR code phishing attacks surged by 51% in September 2023, with 26% of malicious links in email phishing campaigns using QR codes. Since images often bypass Secure Email Gateways, this method is increasingly popular.
  • Image-Based Phishing: Entire phishing emails can be embedded as a single image. This technique is used to bypass email filters that scan for malicious links or keywords in text. Users might click on the image, unaware it’s a clickable malicious link or leads to a fake login page.
  • E-Signature Impersonation: This is becoming incredibly popular. Attackers spoof trusted e-signature services like DocuSign or Adobe Sign, sending emails with urgent requests to “review this document” or “sign here.” These links lead to fake login pages designed to steal credentials. Always verify the sender and the URL before clicking on any e-signature request.

It’s a best practice to constantly test your team with ongoing phishing simulations. This practical approach helps employees recognise and report suspicious emails, reinforcing their training. You can find more information about how such simulations contribute to cybersecurity certification at https://sentry.cy/2025/05/29/smb1001-cybersecurity-certification/.

Understanding Your Risks: Cyber Risk Assessments

Once policies are in place, understanding the scope of your risks becomes crucial. You can arrange a comprehensive cyber risk assessment or begin with a smaller one that identifies the more obvious surface risks. This process helps you pinpoint vulnerabilities and prioritise your security efforts. We offer a “tip of the iceberg” complementary workshop where we can work with our clients to identify these initial risks. Learn more about it at https://sentry.cy/security-assessment/complementary_cyber_security_workshop/.

Building a Strong Cyber Security Culture

Policies are only as good as their implementation. To ensure these cybersecurity policies for SMB are followed and updated, you must foster a strong cybersecurity culture within your business.

Here are some ideas:

  • Regular, Engaging Training: Go beyond annual training. Short, frequent, and interactive sessions keep cybersecurity top of mind. Use real-world examples and make it relevant to employees’ daily tasks. Gamification or competitive elements can also boost engagement.
  • Lead by Example: Management must demonstrate a commitment to cybersecurity. When leaders follow policies and champion security, employees are more likely to do the same.
  • Clear Communication: Explain the “why” behind policies, not just the “what.” Help employees understand how their actions contribute to overall security. Use accessible language, avoiding technical jargon.
  • Empower Reporting with Technology: Implement a Secure Email Gateway (SEG) like IronScales. While IronScales boasts a high stop rate, if a malicious email does get past their filters, staff have a simple “Report Phishing” button. When an employee reports a phishing attempt, IronScales can automatically remove that malicious email from everyone else’s inbox in real-time. This significantly reduces the threat’s impact and helps the collective security. Staff should be rewarded for reporting phishing emails, whether real or from simulations, as they are actively contributing to enhanced security. IronScales’ phishing simulation testing also encourages staff to report these emails, further reinforcing good habits.
  • Celebrate Successes: Acknowledge and reward individuals or teams who demonstrate excellent cyber hygiene or identify potential threats.
  • Policy Accessibility: Where is the best place for these policies to live? Ideally, they should be easily accessible to all employees. A dedicated section on your company’s intranet or a shared document repository (like Google Drive or SharePoint) is better than burying them in an HR system. HR systems might be suitable for acknowledging policy receipt, but the policies themselves should be readily available for quick reference. Regular reminders about where to find them are also beneficial.

Bonus Policy: Protecting Against Supply Chain Threats (Especially Your MSP)

One policy often overlooked, which your Managed Service Provider (MSP) might not explicitly tell you, is a policy to protect your business from supply chain threats, particularly your MSP. Recent incidents, like the Qantas data breach (July 2025), which involved a third-party platform, and the Marks & Spencer ransomware attack (April 2025), which affected them through their MSP, Tata Consultancy Services (TCS), highlight this critical vulnerability. MSPs often have extensive access to their clients’ systems, making them attractive targets for cybercriminals.

You need a policy that protects you from your MSP, including:

  • “Just-in-Time Access”: Implement a policy where your MSP’s access to your systems is granted only when needed and for a limited duration. For instance, for clients we manage on Google Workspace, we implement just-in-time access, meaning their access is temporary and requires specific approval for each session.
  • End-User Acceptance for Remote Login: Require end-users to accept or approve remote login attempts by your MSP before they can access a device. This adds a crucial layer of oversight.
  • Regular Audits of MSP Security Practices: Your policy should mandate periodic security audits of your MSP’s own cyber hygiene and compliance with your security requirements.
  • Clear Incident Response Collaboration: Define how your MSP will communicate and collaborate with you during a security incident on their end that might impact your systems.
  • Third-Party Risk Assessment: Include your MSP in your regular third-party risk assessments, evaluating their security posture as you would any other critical vendor.

By proactively addressing supply chain risks, especially those related to your MSP, you significantly reduce your overall cyber exposure.

Conclusion

Establishing robust cybersecurity policies for SMB is no longer optional; it’s a fundamental requirement for business continuity and success. By adopting a framework like SMB1001 Gold, implementing essential policies, prioritising phishing awareness (including new threats like QR code and image-based phishing, and e-signature impersonation), understanding your risks, and building a strong cyber-aware culture, you can create a secure workspace. Remember, cybersecurity is an ongoing journey, not a destination. Regularly review and update your policies to stay ahead of evolving threats and protect your valuable digital assets.

Ready to strengthen your cybersecurity posture? Contact us today if you require any help with your policy creations or reviews. We perform this work often as part of our SMB1001 implementation packages.

FAQ

Q1: What does SMB stand for in cybersecurity?

A1: SMB stands for Small to Medium-sized Business. In cybersecurity, it refers to organisations that typically have fewer resources and dedicated IT staff compared to large enterprises, making them unique targets for cybercriminals.

Q2: Why are phishing simulations important for employees?

A2: Phishing simulations are crucial because they provide practical, real-world training that helps employees recognise and respond appropriately to malicious emails. This hands-on experience reinforces theoretical knowledge and significantly reduces the likelihood of employees falling victim to actual phishing attacks.

Q3: What is “Just-in-Time Access” in the context of MSPs?

A3: Just-in-Time Access is a security principle where an MSP’s access to your systems is granted only when specifically needed for a task and is automatically revoked after a set period or when the task is completed. This minimises the window of opportunity for attackers if the MSP’s credentials are compromised.

Q4: How often should cybersecurity policies be reviewed and updated?

A4: Cybersecurity policies should be reviewed and updated regularly, ideally at least annually, or whenever there are significant changes to your business operations, technology, or the threat landscape. This ensures they remain relevant and effective against emerging cyber threats.

Q5: Can an SMB achieve cybersecurity compliance without a large IT team?

A5: Yes, frameworks like SMB1001 are specifically designed for SMBs with limited IT resources. They offer a tiered approach that allows businesses to gradually improve their security posture in a manageable and cost-effective way, often with the support of external cybersecurity specialists or MSPs.