It’s never been more important for organisations to adopt a culture of cybersecurity. People across the entire business are now targets for cyber criminals, indicating that everyone from the top down should have an appetite for information security and risk management.

The question is – is there a strong appetite in your organisation or are your staff unaware, or even ignorant, of the risks faced? Our latest 2016 Risk:Value report suggests that many companies are facing poor risk appetite. In fact, lax information security is seen as the single biggest risk to a business – on a par with competitors stealing market share, and more of a risk than global competition and falling profits.

Companies are now under pressure to improve awareness and understanding on the risks and consequences or a cybersecurity threat or breach. This requires some exemplary management skills and needs to start with a solid security policy. A skilled team should be able to analyse what digital assets need protection and what the impact would be to the company should it suffer a breach.

Those producing the policy must also identify the most common and likely threats to that data. These can vary by the type of business, and by its activities. This will enable them to distinguish other data points that will help them to create an effective policy. They can identify likely intrusion points that attackers could use, and map them against weak points that they uncover in their systems. Intruders frequently use email and web browsers as gateways into their systems, but some companies with a strong prevalence of mobile users and remote workers may also find those to be soft targets.

Team leaders can tailor their security policies to focus on such weak points, but most of them will cover catch-all areas such as data encryption, mobile working, clean desk practices and acceptable usage. They should be signed off by a senior executive to show management support.

However, that isn’t enough. Managers must be realistic about their organisations’ ability to execute these policies. Too often, a security policy ends up as a dead document, given out during employee inductions and then stuffed away in a drawer only to be followed by very few people. This is where effective communication comes in, which is critical for ensuring that any policy is endorsed and routinely followed.