Updating Your Cybersecurity Policy: What SMEs Must Include in 2024

As digital threats continue to evolve, New Zealand SMEs can no longer afford outdated cybersecurity policies. In 2024, comprehensive, living cybersecurity frameworks are vital—not just for compliance but also to preserve trust and resilience. This month’s deep dive outlines what modern SMEs must incorporate into their cybersecurity policies and why regular policy reviews matter more than ever.

📌 Why Policy Refreshes Are Critical

Static policies fail to reflect the dynamic nature of cyber risk. With increased cloud adoption, AI-driven attacks, and hybrid work, yesterday’s rules may now create security gaps. A refreshed cybersecurity policy keeps your team aligned with today’s threats and obligations.

🔐 What to Include in 2024

Your policy must balance technology, people, and process. At a minimum, it should define:

• Acceptable Use: Clear guidelines on corporate system and data access.
• Remote Work: Conditions for BYOD, home Wi-Fi security, and VPN use.
• Access Controls: Password, MFA, and admin privilege policies.
• Incident Response: Who acts, when, and how, in case of a breach.
• Data Handling: Retention, disposal, and third-party sharing rules.

📣 Staff Training and Accountability

Policies only work when people understand and apply them. Build mandatory cybersecurity training into onboarding and annual refreshers. Consider incorporating simulated phishing tests. Require signed acknowledgement of policies—digitally logged for evidence.

🛡️ Changes in Threat Landscape

Since 2023, deepfake attacks and AI-enhanced phishing have increased. Policies should address these risks. For example, include rules around video call authentication and email source verification. Cloud misconfigurations and supply chain vulnerabilities also need coverage.

📜 Legal and Compliance Alignment

Ensure alignment with the New Zealand Privacy Act 2020, ISO 27001, and insurer expectations. A well-articulated policy protects you in audits and post-incident liability reviews. Policy updates should be timestamped, version-controlled, and endorsed by leadership.

📊 Keeping It Living, Not Static

Policies must be reviewed quarterly or at major change events—new systems, new risks, new teams. Assign a policy owner internally or engage a virtual CISO to coordinate updates. Keep your document collaborative but secure (e.g., read-only to staff, editable by IT).

🧾 Ready-to-Use Checklist

To help SMEs self-assess, we’ve compiled a companion checklist that outlines each section you should review and update in 2024. From password enforcement to breach response protocols, it’s practical and fast to action.

Here is the Cybersecurity Policy Update Checklist.

📌 Proactive Beats Reactive

Don’t wait for a client request or a breach to review your policies. Act now to embed cybersecurity into daily operations. When leadership sets the tone, and staff understands their role, policy becomes more than paper—it becomes protection.

Eduardo Wnorowski is a Technologist and Director at Virtus Group Ltd.
With over 29 years of experience in IT and consulting, he brings deep expertise in networking, security, infrastructure, and transformation.
Eduardo helps New Zealand businesses navigate change with clarity, security, and trust.
🔗 Connect on LinkedIn