Reading time: 6 minutes

Many businesses today will have some online or digital element to their trade. Customers may place their orders online for delivery from your brick and mortar store, or your business may operate solely online. Regardless of how your business uses digital systems, you should have a cybersecurity policy to manage how you use those digital systems. Explaining to staff how you intend to protect your business against cyber threats is an effective pre-emptive measure. This allows you to reduce the risk of external threats and avoid potential legal issues in the future. This article explains what cybersecurity for your business may look like and how you can put that into a cybersecurity policy.

What Does Cybersecurity Look Like for My Business?

Cybersecurity refers to how you protect your business against unauthorised access to your digital systems and cyber threats. How your business secures itself against digital threats will be unique to your specific set of circumstances.

For example, if your online business deals with sensitive customer financial data, you would take more steps to protect it than if your website just displayed product listings.

Common Security Threats

Common security threats that your business may need to protect against include:

  • data breaches, where your business’ private information is released into an unauthorised environment;
  • malware, which refers to malicious software that can damage your computer and spread viruses;
  • ransomware, meaning a type of malware that ransoms your systems for money;
  • denial of service (DOS) attacks, including cyberattacks that prevent access to your website or online systems;
  • insider threats, where someone with inside knowledge that threatens your business;
  • phishing scams, such as someone using your business’ name to scam customers; or
  • spear phishing, which is where someone targets your staff with fake emails to get business information.

There is no perfect way to protect your business from a cybersecurity breach. However, you can implement measures to reduce risk and make a successful attack less likely.

Why Does My Business Need a Cybersecurity Policy?

Regarding cybersecurity, it is generally a better idea to implement digital precautions sooner rather than later. It is easier to plan a cybersecurity policy rather than deal with the fallout of a cyber attack or data breach without any kind of plan in place. Recovering from a digital attack can be expensive and time-consuming, so taking steps early on to protect your business digitally is a good idea.

Before drafting your cybersecurity policy, you should conduct a cybersecurity risk assessment of your business. This will identify potential risks and weak points of your digital presence. Your cybersecurity policy can then detail best practices for dealing with those weak points and outline strategies to mitigate risks. 

A cybersecurity policy is also useful because it provides staff with an outline as to how they can make sure they are operating securely in their day-to-day work. Employee mistakes can inadvertently cause security breaches. However, you can reduce this risk by increasing employee awareness about cybersecurity. If your employees predominantly operate online, you should consider adding cybersecurity information as part of their training. Make sure your cybersecurity policy is up to date as well to keep up with new technologies.

Key Terms to Include in Your Cybersecurity Policy

Handling Sensitive Data

Your cybersecurity policy should identify:

  • what confidential data your business systems need and how they collect it;
  • how you store this data and how regularly you back it up;
  • how you protect the data, e.g. through encryption or password protection.

System Access and Use

You should also:

  • detail what systems employees have access to and how they access it, e.g. whether they need to use a VPN for remote access; and
  • lay out rules for using your business’ digital systems.


The policy must:

  • cover how your data and systems are protected, e.g. two-factor authentication; and
  • let staff know how they can operate securely and inform you if they discover a security threat.


You need to develop:

  • rules for how staff use both their personal devices and work devices in the workplace; and
  • plans outlining what happens if physical devices, like hard drives or laptops, are stolen or damaged.

Incident Response

You should:

  • develop an incident response plan for dealing with security breaches; and
  • outline for staff what their responsibilities are as a part of this response.

External Policy

You must:

  • let customers know how you will protect them and their data online;
  • provide a way to report any security vulnerabilities they notice; and
  • make sure not to reveal any sensitive business information, like what software you use.

Key Takeaways

As more and more businesses have an online element to their activities, it becomes increasingly vital to have a cybersecurity policy. It details how you plan to protect your business against digital threats and data breaches, and lets your staff know their role in this plan. If you would like more information or help with your cybersecurity policy, contact LegalVision’s New Zealand IT lawyers on 0800 005 570 or fill out the form on this page.


What does cybersecurity mean?

Cybersecurity refers to the way you protect your business against digital attacks and security breaches. You can do this by encrypting your data or having adequate firewall protection.

What is a cybersecurity policy?

A cybersecurity policy is a document that outlines how your business plans to protect itself against online threats and data breaches. It identifies areas of digital risk in your business and details how your business mitigates those risk areas.

What should a cybersecurity policy include?

A cybersecurity policy should outline how you intend to protect your business against digital threats. This includes: how you protect your data and digital systems; how your employees use your systems securely; and
an incident response plan for when something goes wrong.

Do I need a cybersecurity policy?

If your business has an online presence, it is a good idea to have a cybersecurity policy, both for your staff and your customers. It lets your team know what they need to do to reduce digital risk and it shows customers that you care about protecting their personal data.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards