Policies That Actually Get Read: Making Security Rules Short, Clear, and Enforceable.

A Letterkenny professional services firm had a 34-page information security policy. It had been downloaded from a template website, lightly edited by their IT provider, approved at a board meeting three years ago, and stored in a SharePoint folder that most staff did not know existed. Zero staff members had read it. One member of staff, when asked, did not know the company had a security policy.

This is the norm, not the exception. The policy existed for compliance purposes. It served no operational purpose whatsoever.

A security policy that is not read, understood, and followed by staff is not a policy. It is a document. The distinction matters when an incident occurs and the business tries to establish what its obligations were.

Why Most Security Policies Fail

Security policies fail for predictable reasons. They are too long — 20 or 30 pages of technical requirements that were never written for the people who need to follow them. They are too technical — written by IT providers or compliance consultants in language that is impenetrable to non-technical staff. They are not integrated into normal working life — read once during induction, never mentioned again. And they are not enforced — there are no consequences for non-compliance and no process for checking whether they are followed.

The result is a policy that provides compliance evidence but no behaviour change. The business can point to the existence of the policy. The behaviour the policy is supposed to create does not exist.

What a Useful Policy Looks Like

Short. One to three pages for most policies. If a policy cannot be summarised in one page, it is probably covering too much ground. Separate long multi-topic policies into short, focused single-topic policies. An acceptable use policy is one document. A remote working policy is another. A payment security policy is a third.

Plain English. Written at the reading level of the least technical person who needs to follow it. If it contains the words "cryptographic," "exfiltration," or "threat vector," it needs to be rewritten. If a staff member who is not in IT reads it and does not understand what they are supposed to do, it has failed.

Specific. "Be careful with sensitive data" is not a policy. "Do not share documents containing personal data by email attachment — use our SharePoint sharing link instead" is a policy. The more specific the instruction, the more likely it is to be followed and the more clearly it establishes what the expectation was.

Actionable. Every policy should contain a small number of specific actions that the reader will take. Not descriptions of principles — specific things to do: "Before clicking a link in an email you did not expect, call the sender on a known number to verify." "Never change a bank account based solely on an email instruction."

Would your current security policy be understood and followed by your newest, least technical member of staff? If not, it is not reaching the people most likely to be targeted by social engineering. Book a free 20-minute strategy call — we write security policies for Irish SMEs that staff actually read.

The Core Policies Every Irish SME Needs

Acceptable Use Policy. One page. What staff can and cannot use company devices and systems for. Covers personal use boundaries, prohibited websites and software, and the consequences of violations.

Password and Authentication Policy. One page. Minimum password length, requirement for unique passwords managed through a password manager, MFA requirement for all accounts, prohibition on sharing credentials.

Remote Working Policy. One page. VPN requirement for access to internal systems, prohibition on using public Wi-Fi without VPN, physical security requirements (lock screen, no leaving devices unattended), and acceptable devices for corporate access.

Payment Security Policy. One page. The specific rules that govern payment processing — dual authorisation threshold, call-back verification for bank changes, prohibition on acting on email-only payment instructions.

Data Handling Policy. One page. How data is stored, shared, and disposed of. Specific prohibitions: no personal data in WhatsApp, no client documents in personal cloud storage, required use of company-approved file sharing methods.

Each of these can be a single page. Each should be written in plain English. Each should be part of induction for new staff and referenced in annual security awareness briefings.

Making Policies Enforceable

A policy is only enforceable if staff know it exists, have confirmed they have read it, and understand the consequences of non-compliance. Three practical measures:

Signed acknowledgement at induction. New staff sign a brief form confirming they have read the core policies. This creates a record and creates accountability.

Annual refresh. Core policies are reconfirmed annually — a brief team meeting or a short email that references any updates and asks for confirmation of continued understanding.

Proportionate, consistent consequences. Policy violations should be addressed consistently. A staff member who shares client data via WhatsApp should receive the same response as any other policy violation of similar severity — documented, addressed in supervision, and remedied. This consistency is what makes policies real rather than decorative.

What Next

1. Audit your current security policies. How many exist? When were they last updated? What percentage of your staff have read them?

2. Rewrite your most critical policy — the payment security policy — in one page of plain English. Use the principles above. Test it by asking a non-technical staff member to read it and explain it back.

3. Build policy acknowledgement into your induction process. New staff read and sign three to five core policies on their first day. It takes 20 minutes. It creates accountability from the start.

Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.

Related Reading

• Balancing Security With Usability So Staff Follow the Rules
• Turning Staff From the Weakest Link Into a Security Asset
• Making Cyber Security Part of Your Culture

[^1]: Data Protection Commission Ireland [^2]: NCSC Ireland — Advice for Organisations [^3]: An Garda Síochána — National Cyber Crime Bureau

Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.