How to Write a Cybersecurity Policy Your Staff Will Actually Read
When a Donegal retail business suffered a BEC fraud attack, the first question investigators asked was whether the firm had a security policy. It did — a seventeen-page document downloaded from a template site, last updated in 2022, stored in a shared drive folder called "Admin — Misc." Nobody on the team had read it. Nobody knew the payment verification procedure it supposedly contained. Nobody had ever been told it existed.
A cybersecurity policy that nobody reads is a policy that protects nobody. Yet most Irish SMEs approach their security policy the same way: a compliance document produced to satisfy an insurance requirement, filed away, and never seen again. This article explains how to write one that actually works.
The Problem: Policies Built for Compliance, Not People
Many Irish SMEs create cybersecurity policies not to protect their business, but to tick a box for compliance or insurance purposes. These documents often run to dozens of pages, filled with technical jargon and legalistic phrasing. They are rarely updated, poorly communicated, and almost never enforced in a way that encourages genuine behavioural change.
The average employee spends less than five minutes reviewing their company's cybersecurity policy annually — if they review it at all. This creates a dangerous gap between the theoretical protection the policy offers and the practical reality of daily operations. In a world where cyber threats evolve daily, an unread policy is as good as no policy at all. The Central Bank of Ireland has noted that inadequate staff awareness of security procedures is a recurring factor in financial sector incidents[^1].
When staff do not understand or follow security protocols, they become unwitting entry points for cybercriminals. Phishing attacks, malware infections, and data leaks become more likely. For a small business in Sligo or Letterkenny, a single breach could mean significant financial losses and serious damage to customer trust.
The Solution: One Page, Plain English, Three Rules
The secret to a policy your staff will actually read is simplicity. Your cybersecurity policy should be one page long, written in plain English, and focused on three core, actionable rules. This approach transforms a daunting compliance document into an accessible guide, making security a shared responsibility rather than an IT burden.
Have you communicated your security policy to staff in the last 12 months? Book a free 20-minute strategy call — we help Irish SMEs build security awareness programmes that actually change behaviour, not just tick boxes.
The three rules every Irish SME policy should contain are these. First, use strong, unique passwords and Multi-Factor Authentication. Explain why this is crucial — it prevents account takeover — and how to do it: use a password manager and enable MFA on all accounts. This is the digital equivalent of locking your front door. Second, report suspicious emails and unusual activity immediately. Tell staff what to look for — unexpected attachments, urgent payment requests, emails asking you to bypass a process — and who to report it to. Make clear there is no penalty for a false alarm. Third, lock your screen when away from your desk. A simple, highly effective physical security measure. On Windows: Windows Key + L. On Mac: Cmd + Ctrl + Q. It protects your workspace the same way you lock your office when you leave for the day.
By focusing on three high-impact rules, you cut through the noise and provide clear, memorable directives that staff can actually follow.
A One-Page Policy Template
Here is a structure for a one-page cybersecurity policy you can adapt for your business. It is designed to be printed, displayed, and understood by all employees — from the newest team member to the most senior manager.
| Section | Content |
|---|---|
| Our Commitment | We protect our data and our clients' data. Your role is vital. |
| Three Golden Rules | 1. Use strong passwords and MFA. 2. Report suspicious emails immediately. 3. Lock your screen when you step away. |
| Why This Matters | Protects against fraud, data loss, and reputational damage. Keeps our business secure. |
| If Something Happens | Contact [Designated Contact] immediately. Do not try to fix it yourself first. |
| Training and Support | Regular training is provided. Ask questions. We are here to help. |
| Policy Review | This policy is reviewed annually. Last reviewed: [Date]. |
The goal is to make security an intuitive part of daily work, not an afterthought. A policy that is simple to understand is a policy that is simple to follow.
Communication and Enforcement
Writing a simple policy is only half the battle. Communicating it effectively and enforcing it fairly are equally crucial. Do not simply email it out and expect it to be absorbed. Hold a brief, mandatory meeting where you discuss each of the three rules, explain their importance in business terms, and answer questions. Make it interactive. Encourage the team to ask what they would do in specific scenarios.
The NCSC Ireland recommends that security awareness training be treated as an ongoing programme rather than a one-off event — because the threats and the tactics attackers use change constantly[^2].
Enforcement should be about education and prevention, not just punishment. When an employee makes a mistake — clicking a suspicious link, sharing a password — use it as a learning opportunity rather than a disciplinary one. Provide constructive feedback and additional training. Clear boundaries are still necessary, and a transparent process for repeated or serious breaches should be communicated upfront. The goal is a security-conscious culture where everyone understands their role in protecting the business.
An Garda Síochána's National Cyber Crime Bureau reports that the majority of successful cyberattacks against Irish businesses involve a human element — an employee who clicked something, shared something, or failed to follow a procedure[^3]. The single most effective protection against this is a workforce that understands what to do and why.
What Next
Draft your one-page policy this week. Use the template above as your starting point. Adapt the language to fit your business, name the designated contact for reporting, and set a review date. Getting it to one page will force you to focus on what actually matters.
Run a 30-minute staff briefing within the month. Walk the team through the three rules. Use a real example — a phishing email your business has received, or a news story about a local business that was hit. Concrete examples make abstract rules real.
Review and update annually. Schedule the next policy review date now and put it in your calendar. A policy that is reviewed and kept current signals to staff — and to regulators — that your business takes security seriously as an ongoing commitment, not a one-time exercise.
Related Reading
- What Is Business Email Compromise and Why Irish SMEs Are Prime Targets
- What Keeps You Up at Night? The Hidden Cyber Anxiety of Irish SME Owners
- What Procurement Teams Are Now Asking Irish Suppliers About Cybersecurity
[^1]: NCSC Ireland — Advice for Organisations [^2]: Data Protection Commission Ireland [^3]: An Garda Síochána — Cyber Crime
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.