Essential Cybersecurity Policy Templates for Small Businesses: AUP, BYOD, and Password Policy (Free) — 2026
Cyberlords Editorial Team
Eighty percent of small businesses have no formal cybersecurity policies. Not a single documented rule governing how employees use company systems, what happens when a personal phone connects to the office Wi-Fi, or how passwords should be created and managed.
This is not merely a compliance gap — it is an open invitation. Human error causes 88% of data breaches, and without written policies, employees have no guardrails. They reuse passwords across personal and work accounts. They connect unmanaged devices to your network. They forward sensitive documents to personal email addresses.
The fix starts with three foundational cybersecurity policy templates: an Acceptable Use Policy (AUP), a BYOD Policy, and a Password Policy. This guide provides all three as free, copy-paste templates aligned with NIST SP 800-63B-4, CIS Controls, and ISO 27001 — ready for your small business to customize today.
Quick Summary
- 80% of small businesses lack formal cybersecurity policies.
- 88% of data breaches are caused by human error.
- 67% of organizations say employees lack basic security awareness (SANS 2025).
- 70% of BYOD devices in the workplace are not actively managed.
- NIST SP 800-63B-4 (2025) eliminates mandatory password expiration — update your policy now.
- This guide includes three free policy templates: AUP, BYOD, and Password Policy.
- Templates are aligned with NIST, CIS Controls, ISO 27001, and SOC 2.
Why Policy Comes Before Technology
The Numbers Tell the Story
| Statistic | Source |
|---|---|
| 80% of small businesses lack formal cybersecurity policies | StellarCyber / ElectroIQ 2025 |
| 88% of data breaches are caused by human error | Secureframe 2025 |
| 67% of organizations say employees lack basic security awareness (up from 56% in 2023) | SANS 2025 Security Awareness Report |
| 70% of BYOD devices in the workplace are not actively managed | Computerworld / JumpCloud |
| 90%+ of lost/stolen device incidents lead to unauthorized data breach | Computerworld 2025 |
| 43% of cyberattacks target small businesses | Verizon / ElectroIQ 2025 |
| 60% of SMBs that suffer a cyberattack close within 6 months | SBA / BDEmerson 2025 |
| Ongoing security training reduces employee-driven incidents by up to 72% | Keepnet Labs 2025 |
| 22% of BYOD devices connect to unsafe Wi-Fi monthly | Spenza 2025 |
| 68% of breaches involve a non-malicious human element | Verizon DBIR 2024 |
You can deploy the most advanced firewall, EDR, and SIEM money can buy. But if an employee reuses their Netflix password for the company VPN, or plugs an unencrypted personal laptop into your network, technology cannot save you.
Policies create the behavioral framework that technology enforces. Without them, your security stack has no rules to enforce.
Template 1: Acceptable Use Policy (AUP)
What This Policy Covers
An Acceptable Use Policy defines how employees, contractors, and third parties may use company-owned and company-managed technology resources. It sets boundaries for personal use, prohibits specific activities, and establishes consequences for violations.
Template
====================================================
ACCEPTABLE USE POLICY — [COMPANY NAME]
====================================================
Version: 1.0
Effective Date: [DATE]
Last Reviewed: [DATE]
Policy Owner: [NAME / TITLE]
Approved By: [CEO / CISO]
Review Frequency: Annual
Classification: INTERNAL
1. PURPOSE
This policy defines acceptable and prohibited uses of [Company Name]'s
information technology resources, including networks, systems, email,
internet access, and data.
2. SCOPE
This policy applies to all employees, contractors, consultants,
temporary workers, and third-party users who access company technology
resources, whether on-site, remote, or via personal devices.
3. ACCEPTABLE USE
Company technology resources are provided primarily for business
purposes. Limited personal use is permitted provided it:
- Does not interfere with work duties or productivity
- Does not consume excessive bandwidth or storage
- Does not violate any provision of this policy
- Does not expose the organization to security risks
4. PROHIBITED ACTIVITIES
The following are strictly prohibited on company systems:
a. Accessing, downloading, or distributing pornographic, violent,
or hateful content
b. Installing unauthorized software or applications without
IT approval
c. Sharing company credentials with any unauthorized person
d. Circumventing security controls (VPN bypass, proxy avoidance,
disabling antivirus)
e. Using company email for personal commercial activity
f. Storing sensitive company data on unapproved cloud services
g. Connecting unauthorized devices to the corporate network
h. Sending company data to personal email accounts
i. Using company systems for illegal activities of any kind
j. Attempting to access systems or data beyond authorized scope
5. EMAIL AND COMMUNICATION
- All company email is subject to monitoring and archival
- Do not open unexpected attachments or click links from
unknown senders
- Report suspected phishing to [security@company.com] immediately
- Do not use company email to transmit confidential data unless
encrypted
6. INTERNET USE
- All internet traffic on company networks may be monitored
- Streaming services should not be used during business hours
unless work-related
- Downloading files from untrusted sources is prohibited
- Use of anonymizing services (Tor, VPN bypass) is prohibited
7. DATA HANDLING
- Classify data as Public, Internal, Confidential, or Restricted
- Store confidential and restricted data only on approved,
encrypted systems
- Do not transfer restricted data via unencrypted channels
- Follow data retention and destruction policies
8. MONITORING AND ENFORCEMENT
[Company Name] reserves the right to monitor all activity on
company-owned systems, networks, and accounts. This includes
email, internet usage, file access, and application usage.
Employees have no expectation of privacy when using company
resources.
9. CONSEQUENCES
Violations of this policy may result in:
- Verbal warning and mandatory security retraining
- Written warning with probationary review
- Suspension of access privileges
- Termination of employment
- Legal action where applicable
10. ACKNOWLEDGMENT
All users must sign this policy upon onboarding and annually
thereafter.
Employee Name: ______________________
Signature: __________________________
Date: ______________________________
====================================================
Template 2: BYOD Policy
What This Policy Covers
A BYOD (Bring Your Own Device) policy governs the use of personal smartphones, laptops, and tablets for work purposes. With 70% of BYOD devices unmanaged and 22% connecting to unsafe Wi-Fi networks monthly, a clear policy is essential.
Template
====================================================
BRING YOUR OWN DEVICE (BYOD) POLICY — [COMPANY NAME]
====================================================
Version: 1.0
Effective Date: [DATE]
Last Reviewed: [DATE]
Policy Owner: [NAME / TITLE]
Approved By: [CEO / CISO]
Review Frequency: Annual
Classification: INTERNAL
1. PURPOSE
This policy governs the use of personally owned devices
(smartphones, laptops, tablets) to access [Company Name]'s
systems, data, and network resources.
2. SCOPE
This policy applies to all employees and contractors who use
personal devices to access company email, files, applications,
or network resources, regardless of location.
3. PERMITTED DEVICES
The following device types are permitted for BYOD:
- Smartphones running iOS [version]+ or Android [version]+
- Laptops running Windows [version]+, macOS [version]+,
or ChromeOS
- Tablets running iPadOS [version]+ or Android [version]+
Jailbroken, rooted, or devices running unsupported operating
systems are NOT permitted.
4. REGISTRATION AND MDM ENROLLMENT
All BYOD devices MUST be:
a. Registered with [Company Name] IT department before
accessing company resources
b. Enrolled in the company Mobile Device Management (MDM)
solution: [MDM Name]
c. Configured to receive automatic security updates
d. Compliant with all security requirements before access
is granted
5. SECURITY REQUIREMENTS
All BYOD devices must meet the following minimum requirements:
a. Device encryption enabled (full disk / full device)
b. Screen lock with PIN (6+ digits), password, or biometric
c. Auto-lock after 5 minutes of inactivity maximum
d. Operating system and applications kept up to date
e. Antivirus / endpoint protection installed (if applicable)
f. Location services enabled for remote-locate capability
g. No sideloaded apps from untrusted sources
h. Company VPN used when accessing resources on public networks
6. DATA ACCESS AND STORAGE
- Company data accessed on BYOD devices remains the property
of [Company Name]
- Do NOT store company data locally on personal devices unless
encrypted and approved
- Use only company-approved cloud storage (e.g., [service name])
- Do NOT sync company data to personal cloud accounts
(iCloud, Google Drive, Dropbox personal)
7. MULTI-FACTOR AUTHENTICATION
MFA is REQUIRED for all corporate applications and services
accessed from personal devices. Approved MFA methods:
- Authenticator app (preferred)
- Hardware security key (FIDO2)
- Push notification via [app name]
SMS-based OTP is discouraged due to SIM swap risk.
8. LOST OR STOLEN DEVICES
If a BYOD device is lost or stolen:
a. Report to IT immediately: [phone / email]
b. IT will remotely wipe corporate data and profiles
c. Employee must change all corporate passwords immediately
d. Employee is responsible for any personal data on the device
IMPORTANT: [Company Name] reserves the right to perform a
remote wipe of corporate data containers on BYOD devices
at any time, including upon employee departure.
9. EXIT / OFFBOARDING
Upon termination or resignation:
a. All company data, profiles, and apps will be removed
b. MDM enrollment will be revoked
c. Company email and application access will be disabled
d. Employee must confirm removal of all company data
10. PRIVACY
[Company Name] respects employee privacy. The MDM solution:
- CAN see: device compliance status, installed corporate apps,
OS version, encryption status
- CANNOT see: personal photos, texts, browsing history,
personal apps, personal email, call logs, GPS location
(unless device is reported lost)
11. ACKNOWLEDGMENT
Employee Name: ______________________
Signature: __________________________
Date: ______________________________
====================================================
Template 3: Password Policy
What This Policy Covers
This password policy reflects the latest NIST SP 800-63B-4 (2025) guidelines, which fundamentally changed best practices by eliminating mandatory password expiration, reducing complexity requirements, and emphasizing passphrases, blocklists, and MFA.
Template
====================================================
PASSWORD POLICY — [COMPANY NAME]
====================================================
Version: 1.0
Effective Date: [DATE]
Last Reviewed: [DATE]
Policy Owner: [NAME / TITLE]
Approved By: [CEO / CISO]
Review Frequency: Annual
Classification: INTERNAL
Aligned with: NIST SP 800-63B-4 (2025)
1. PURPOSE
This policy establishes password and authentication standards
for all [Company Name] accounts and systems, aligned with NIST
SP 800-63B-4 guidelines.
2. SCOPE
This policy applies to all user accounts on company systems,
including email, VPN, cloud applications, databases, and
administrative consoles.
3. PASSWORD CREATION REQUIREMENTS
a. Minimum length: 15 characters (strongly recommended)
Absolute minimum: 8 characters
b. Maximum length: 64 characters (no arbitrary truncation)
c. All ASCII printable characters, spaces, and Unicode
characters are permitted
d. Passphrases (multiple words) are strongly encouraged
Example: "correct horse battery staple thunderstorm"
e. Passwords MUST NOT appear on the company's blocked
password list (see Section 5)
4. PASSWORD EXPIRATION
Per NIST SP 800-63B-4:
- Passwords DO NOT expire on a fixed schedule
- Passwords MUST be changed only when:
a. There is evidence of compromise
b. The user suspects unauthorized access
c. A breach notification indicates potential exposure
d. Directed by IT Security following an incident
5. BLOCKED PASSWORD LIST
The following passwords are blocked and cannot be used:
- Passwords found in known breach databases
- Common dictionary words used alone
- Sequential or repeated characters (e.g., 123456, aaaaaa)
- Company name, product names, or variations
- User's name, email address, or username
- Previously used passwords for the same account
The blocked list is maintained dynamically by IT and updated
at least quarterly using breach intelligence feeds.
6. MULTI-FACTOR AUTHENTICATION (MFA)
MFA is REQUIRED for:
- All administrative and privileged accounts
- Remote access (VPN, RDP, SSH)
- Email access from outside the corporate network
- Cloud application access
- Any system containing sensitive or regulated data
Approved MFA methods:
- Authenticator app (TOTP) — preferred
- Hardware security key (FIDO2/WebAuthn) — recommended for
admins
- Push notification via approved app
- SMS OTP — permitted only as a last resort; SIM swap risk
7. PASSWORD STORAGE AND MANAGEMENT
a. Passwords must NEVER be stored in plaintext, spreadsheets,
sticky notes, or shared documents
b. Use of the company-approved password manager is mandatory:
[Password Manager Name]
c. Each account MUST have a unique password — no reuse
d. Shared/service account passwords must be stored in the
team vault within the password manager
8. KNOWLEDGE-BASED AUTHENTICATION
Per NIST SP 800-63B-4, knowledge-based authentication
(security questions such as "What is your mother's maiden
name?") is NOT permitted as a primary or recovery
authentication factor.
9. ADMINISTRATIVE AND PRIVILEGED ACCOUNTS
- Must use passwords of 20+ characters
- Must use FIDO2 hardware key or authenticator app for MFA
- Must be stored in a dedicated administrative vault
- Access must be reviewed quarterly
- Must be changed after any staff departure with admin access
10. INCIDENT RESPONSE
- If you suspect your password has been compromised, change
it immediately and report to [security@company.com]
- IT will force password resets across affected systems during
confirmed incidents
- Accounts showing signs of compromise will be locked pending
investigation
11. ACKNOWLEDGMENT
Employee Name: ______________________
Signature: __________________________
Date: ______________________________
====================================================
Side-by-Side: Old Rules vs. Modern NIST-Aligned Policy
| Outdated Practice | NIST SP 800-63B-4 Recommendation | Why |
|---|---|---|
| Force password change every 90 days | No mandatory expiration | Forced changes lead to weak, predictable modifications |
| Require uppercase + lowercase + number + symbol | Allow all characters; encourage length | Complexity rules reduce usability without improving security |
| Minimum 8 characters | Recommended 15+ characters | Longer passphrases are harder to crack and easier to remember |
| Security questions for recovery | Prohibit knowledge-based authentication | Answers are often public information or guessable |
| Prohibit password managers | Strongly encourage password managers | Managers enable unique, complex passwords for every account |
| SMS as primary MFA | SMS is last resort; prefer authenticator app or FIDO2 | SMS is vulnerable to SIM swapping and interception |
Common Mistakes When Implementing Cybersecurity Policies
- Writing policies nobody reads — 50-page legal documents gather dust. Keep policies concise, use plain language, and have employees sign acknowledgments annually.
- No enforcement mechanism — Policies without consequences are suggestions. Define a clear escalation path from warning to retraining to termination.
- One-time training — Annual security training is insufficient. Conduct phishing simulations monthly and deliver micro-training quarterly. Research shows ongoing training reduces incidents by up to 72%.
- Ignoring BYOD entirely — 67% of employees use personal devices for work regardless of company policy. If you do not have a BYOD policy, you have an unmanaged BYOD free-for-all.
- Outdated password rules — If your password policy still requires changes every 90 days, it violates current NIST guidance and actively weakens your security.
- No dedicated policy owner — Every policy needs a named owner responsible for annual review, updates, and enforcement. Without ownership, policies become stale.
Frameworks and Standards Referenced
| Framework | Relevance |
|---|---|
| NIST SP 800-63B-4 (2025) | Digital identity and authentication guidelines — password requirements, MFA, blocklists, elimination of forced expiration |
| CIS Controls v8 | Safeguard 4 (Secure Configuration), 5 (Account Management), 6 (Access Control), 14 (Security Awareness Training) |
| ISO 27001:2022 | A.5 Organizational Controls (policies, roles), A.8 Technological Controls (access, authentication, endpoints) |
| SOC 2 Trust Services Criteria | Common Criteria 6 (Logical and Physical Access), CC6.1-CC6.8 |
| SANS 2025 Security Awareness Report | Employee security culture benchmarks, training effectiveness data |
Citations and References
- NIST SP 800-63B-4 (2025) — No mandatory password expiration, 15+ character passphrases recommended, blocklists required, knowledge-based authentication prohibited.
- SANS 2025 Security Awareness Report — 67% of organizations say employees lack basic security awareness (up from 56% in 2023). Social engineering is the top threat.
- Secureframe 2025 — 88% of data breaches are caused by human error.
- StellarCyber / ElectroIQ 2025 — 80% of small businesses lack formal cybersecurity policies; 43% of cyberattacks target small businesses; 60% of SMBs close within 6 months.
- Computerworld / JumpCloud 2025 — 70% of BYOD devices unmanaged; 90%+ of lost/stolen device incidents lead to data breach.
- Verizon DBIR 2024 — 68% of breaches involve a non-malicious human element.
- Keepnet Labs 2025 — Ongoing security awareness training reduces employee-driven incidents by up to 72%.
- Spenza 2025 — 22% of BYOD devices connect to unsafe Wi-Fi networks monthly.
How Cyberlords Can Help
Downloading a template is the first step. Making it part of your organization's security culture is the real work.
At Cyberlords, we help small businesses:
- Customize policy templates to fit your specific industry, technology stack, and regulatory requirements.
- Deploy and configure MDM solutions for BYOD environments, ensuring every device is enrolled, encrypted, and compliant.
- Conduct security awareness training — not boring slide decks, but engaging, scenario-based programs with phishing simulations.
- Perform policy compliance audits to verify that your written policies match your actual security posture.
If you need help building or implementing cybersecurity policies, contact the Cyberlords team today.
Frequently Asked Questions
What cybersecurity policies does a small business need?
At minimum, every small business needs three foundational policies: an Acceptable Use Policy (AUP) that defines how employees may use company technology, a BYOD Policy that governs personal devices used for work, and a Password Policy that sets authentication standards. These three policies address the majority of human-caused security incidents, which account for 88% of all data breaches. As your business grows, add policies for incident response, data classification, remote work, vendor risk management, and change management.
Should passwords still expire every 90 days?
No. NIST SP 800-63B-4, finalized in 2025, explicitly discourages mandatory periodic password changes unless there is evidence that a password or account has been compromised. Research shows that forced expiration leads to weaker passwords because users make small, predictable modifications (adding "1" at the end, incrementing a number). Instead, focus on long passphrases (15+ characters), dynamic blocklists that check against known breach databases, multi-factor authentication, and breach-monitoring services that alert you if credentials appear in a data leak.
What should a BYOD policy include?
A comprehensive BYOD policy should define which device types and OS versions are permitted, require device registration and MDM enrollment before access is granted, mandate device encryption and screen lock (PIN, password, or biometric), specify which company data may be accessed and where it may be stored, require MFA for all corporate applications, establish procedures for lost or stolen devices (including remote wipe), define the company's right to wipe corporate data containers, clarify privacy boundaries (what the company can and cannot see), and address offboarding procedures.
How often should cybersecurity policies be reviewed?
Review all cybersecurity policies at least annually, ideally on a fixed calendar (e.g., January of each year). In addition, trigger reviews whenever there is a significant change — a security incident, new compliance requirement (such as PCI DSS 4.0.1 or NIS2), adoption of a new technology platform, personnel changes in the security team, or feedback from an audit. Assign a named policy owner to each document to ensure accountability.
Are these templates compliant with ISO 27001 and SOC 2?
These templates are designed to align with the requirements of ISO 27001 (specifically A.5 Organizational Controls and A.8 Technological Controls), SOC 2 Trust Services Criteria (CC6 Logical and Physical Access), NIST SP 800-63B-4, and CIS Controls v8. However, compliance is determined by implementation, not documentation. Customize the templates for your environment, enforce them with technical controls, train your staff, and document evidence of compliance for auditors.
What is the biggest security risk with BYOD?
The biggest risk is unmanaged devices. Research shows that 70% of BYOD devices in the workplace are not actively managed — they lack encryption enforcement, security patching, and remote wipe capability. Additionally, 90% of security incidents involving lost or stolen devices lead to unauthorized data access, and 22% of BYOD devices connect to unsafe Wi-Fi networks monthly. The solution is mandatory MDM enrollment, clear security requirements, and a policy that employees sign before their device is granted access.
How do I get employees to actually follow cybersecurity policies?
Three steps. First, write policies in plain language that non-technical employees can understand — avoid impenetrable legal jargon. Second, conduct security awareness training at least quarterly, not just during onboarding. Research from Keepnet Labs shows that ongoing training reduces employee-driven cyber incidents by up to 72%, and organizations can reduce phishing susceptibility by over 40% within 90 days. Third, enforce policies consistently with documented consequences, but also recognize and reward security-conscious behavior. Make it a positive part of your culture, not just a punitive exercise.
Do I need separate policies or can I combine them into one document?
It is strongly recommended to maintain separate, focused policies. A combined mega-document is harder to maintain (updates to one area require re-distributing the whole thing), harder for employees to reference when they need a specific answer, and creates compliance challenges when auditors request specific policy documents. Keep AUP, BYOD, and Password as separate documents at minimum. This also allows you to set different review cycles and route different policies to different approvers.
cybersecurity policy templates overview
Key decisions, risks, and implementation actions for cybersecurity policy templates.