Skip to main content
Rehmann
Rehmann
Solutions
Industries
Resources
About Us

Seven Must-Know Cybersecurity Policies

December 28, 2022

Contributors: Paul Kennedy, CISSP, CISA, VCISO

Organizations benefit from thoughtful, comprehensive policies. For instance, well-defined human resources policies contribute greatly to organizational culture. Likewise, airtight legal policies offer guidance, compliance, and protection.

One problem, however, is that navigating the complexities, defining compliance requirements, and then writing strong organizational policies takes a lot of time and can prove daunting. Still, it’s worth the effort, particularly when it comes to cybersecurity. To put a dollar figure on it, a recent industry study found the average total cost gap between breaches where an incident response plan and team were in place ($3.25 million average cost) versus a breach where neither were in place ($5.71 million average cost) was $2.46 million.i So, a well-designed incident response policy is worth almost $2.5 million, on average.

It all starts with people. The single most effective tool in creating, implementing, and sustaining strong policies is educating your people. With cybersecurity policies in place, you’re providing a common language that can be understood and transferred to others, which is crucial for business continuity and disaster recovery. Without written policies and buy-in on them, organizational knowledge can erode, and productivity can decrease. In fact, according to one report, 42% of the skills and expertise needed to capably perform a job are known only by the person currently in that position.ii That means when someone leaves your organization, 42% of the knowledge required to do the role they just left leaves, too.

In other words, the remaining team won’t be able to do 42% of the recently departed person’s work, and a new hire will need to learn 42% of the job from scratch.iii That means your organization will likely lose some productivity.

Lack of Cybersecurity Policies = Trouble

Without transferable, repeatable cybersecurity policies in place, key knowledge behind your cyber defenses could walk out the door for a new job. Similarly, how would new team members know what was happening without thorough documentation? Policies provide a set of oversights and controls that identify how the IT and business teams go about their day-to-day operations.

A best practice is when cybersecurity controls and related policies have some independence from IT. That’s because people, including your IT team, are both risks and assets when it comes to cybersecurity.

For example, many times attackers can penetrate organizations through a person first via phishing or social engineering. Sound policies and organizational buy-in around them can keep your people vigilant, helping strengthen your organization’s overall defenses.

Creating Your Policies

As you prepare to create your cybersecurity policies, you’ve likely captured a lot of information about your organization’s environment, including the security controls in place. The next step is to take that information to develop comprehensive cybersecurity policies for your entire organization. This can include:

  1. GOVERNANCE STRATEGY AND CYBERSECURITY PROGRAM (CYBERSECURITY POLICY) – Guide your cybersecurity program by identifying leadership, how much risk you will accept, and the key areas of your cybersecurity program.
  2. DATA MANAGEMENT AND PROTECTION STRATEGY – Identify the assets that matter to your organization and the security in place for each, including who should have access, backups, and other key safeguards.
  3. RISK ASSESSMENT – Identify which assets are most critical so you can prioritize where to deploy protections.
  4. INCIDENT RESPONSE PLAN – Make sure you have a plan for how the organization responds when you are attacked.
  5. BUSINESS CONTINUITY PLAN – Build alternative processes that identify how you will continue to provide key business functions and continue to serve customers during a disaster or cybersecurity incident.
  6. DISASTER RECOVERY PLAN – Have a plan in place for how you will restore your business to normal operations when responding to a disaster or cybersecurity attack.
  7. VENDOR MANAGEMENT – Know how your relationships with key third parties impact your organization so you can make sure you have well defined and appropriate contract management processes and security service level agreements.

If you’ve been working with the Rehmann Technology Solutions team on building your cybersecurity plan, we can take the information gleaned and start building these key policies (IT teams appreciate not having to do this alone).

In the end, your organization will be on solid footing with transferable, repeatable cybersecurity policies in place.

Partners in Policy

Policy development isn’t the most glamorous assignment, but the organizational benefits can be huge. And you don’t have to do it yourself – Rehmann can help.


i IBM and Ponemon Institute, 2021, “Cost of a Data Breach Report”

ii Panopto, 2022, “Workplace Knowledge and Productivity Report”

iii HR Daily Advisor, 2018, “Knowledge Loss Turnover Means Losing Employees”

Continue the discovery: