A Simple Security Policy Pack You Can Actually Follow

A dentist in Fort Walton Beach called us because her receptionist clicked a link in an email that looked like it came from her email provider. The email asked her to "verify her account." By the time she realized it wasn't real, the attacker had access to her appointment scheduling system for three days.

When we asked if she had a security policy, she said, "We have a password policy. Sort of."

That's not unusual. Most Gulf Coast small businesses don't have a security policy because the ones available online are written for companies with dedicated IT departments and legal teams. They're not written for a 10-person construction company or a local restaurant.

This article gives you a security policy you can actually use.

What this solves (in real business terms)

A security policy answers one question: "What are the rules for how we handle access, data, and devices?"

Without one, your team makes security decisions ad hoc. Someone reuses the same password for everything because nobody told them not to. Someone uses their work email to sign up for a SaaS tool because there's no guidance. Someone leaves their laptop in their car because the business never said that was a problem.

A written policy gives your team a baseline. It also gives you something to point to when you need to enforce a rule. "We're not being mean — this is our policy."

What can go wrong

Phishing leading to account takeover. The Fort Walton Beach dentist's incident is common. Attackers send convincing emails pretending to be Microsoft, Google, or software your team uses daily. Without a policy that requires verification before clicking links, your team is guessing.

Credential stuffing after a breach. When LinkedIn, Facebook, or any website gets breached, usernames and passwords get dumped online. Attackers try these same credentials on other sites. If your team reuses passwords, one breach becomes many.

Lost or stolen devices with no encryption. A laptop stolen from a truck in Mobile with patient files, customer records, or financial data — that's a reportable breach, not just a hardware loss.

Unauthorized software (Shadow IT). Your accountant installs a "free" tax prep tool. Your sales manager signs up for a CRM trial. Now you have business data in systems you don't own, can't audit, and won't know about until something goes wrong.

No clear process when someone leaves. When an employee quits or is terminated, do you know which accounts they had? Do you disable access immediately? Most small businesses don't have a checklist for this.

What it costs (honest ranges)

• DIY: $0 — You write it yourself using this guide. Time cost: 4-8 hours initially, then 30 minutes quarterly to review.
• Managed security provider: $10-$30/user/month — Most Gulf Coast MSPs include policy documentation and annual reviews as part of their managed security offering.
• Consultant: $1,500-$4,000 for a custom policy written for your specific business and industry.

Avoid anything quoting $5,000+ for a "small business security policy." That's enterprise pricing. For a 5-50 person business, you should pay $2,000 or less unless you have compliance requirements (HIPAA, PCI-DSS, etc.).

Vendor questions (copy/paste)

Before hiring someone to write your policy, ask:

1. "Will you write this for our specific business, or will you give us a template with our name filled in?"
2. "How many employees do you typically work with at businesses our size?"
3. "Will this policy address our use of [insert your key tools: QuickBooks, Microsoft 365, etc.]?"
4. "Do you provide employee training materials, or just the policy document?"
5. "How often should we update this, and does your fee include annual reviews?"

Minimum viable implementation

Step 1: Write a password policy (one page max)

• Minimum 12 characters. Passphrases allowed (e.g., "Bluefish-beach-2024!").
• No reusing passwords across work accounts.
• Use a password manager (see our guide on password managers for teams).
• No sharing passwords via email or text.

Step 2: Write a device policy (half page)

• Company devices require lock screens (PIN, biometric, or password).
• No public WiFi for work tasks without a VPN.
• Lost or stolen devices must be reported within 24 hours.
• Company devices are for company business — some personal use is fine, but no illegal downloads or unauthorized software.

Step 3: Write an access control policy (half page)

• When someone leaves, their accounts are disabled within 4 hours of their last day.
• New hires get access based on their role — not automatically everything.
• Admin access (full control) is limited to owners and designated IT only.
• Vendor access is temporary and monitored.

Step 4: Distribute and sign

• Give every employee a copy. No signature required, but document who received it.
• Store a copy in a shared location (OneDrive, Google Drive) so it's accessible.

Step 5: Review quarterly

• Read through it. Has anything changed? New tools, new employees, new risks?
• Update and redistribute as needed.

When to hire help

Do it yourself if:

• You have 10 or fewer employees
• You're not in a regulated industry (healthcare, finance, government contracting)
• Your tech stack is simple (Microsoft 365, QuickBooks, a few SaaS tools)

Get help if:

• You have more than 25 employees
• You process credit cards directly (PCI compliance)
• You handle health information (HIPAA)
• You're bidding on government contracts (CMMC, NIST 800-171)
• You've had a breach or near-miss and need documented policies for insurance or legal reasons