BAWCo Cyber Security Policy

1. Purpose
This policy outlines BAWCo’s cybersecurity approach, which ensures the protection of company and customer data, maintains compliance with UK data protection laws, and safeguards business operations from cyber threats.

2. Scope
This policy applies to all employees, contractors, and third-party service providers who access BAWCo’s digital systems, customer data, or internal networks.

3. Compliance & Legal Framework
BAWCo is committed to compliance with:
• The UK General Data Protection Regulation (UK GDPR)
• The Data Protection Act 2018
• National Cyber Security Centre (NCSC) best practices
• Cyber Essentials guidelines (where applicable)

4. Data Protection & Access Control
• All customer and business data must be securely stored and only accessed by authorised personnel.
• Multi-factor authentication (MFA) is required for all critical systems, including the CRM.
• Employees must use strong passwords and change them regularly.
• Data encryption must be used for sensitive information, both in transit and at rest.

5. Network & System Security
• BAWCo’s IT infrastructure must be protected with firewalls, antivirus software, and regular security updates.
• Raven Software is responsible for monitoring and maintaining cybersecurity protections, ensuring proactive threat detection and mitigation.
• Company devices must be kept up to date and patched against vulnerabilities.
• Remote access is restricted and must only be conducted through secure VPN connections.
• Regular backups must be maintained to ensure business continuity in case of cyber incidents.
• Cybersecurity services, including email monitoring and threat detection, are outsourced to Raven Software, which ensures continuous protection against cyber threats.

6. Email & Communication Security
• Employees must not click on suspicious links or open attachments from unknown sources.      • Raven Software actively manages email security, filtering out threats such as phishing and malware to protect business communications.
• All email communications involving customer data must be encrypted where necessary.
• Phishing awareness training will be provided to employees to prevent social engineering attacks.
• Raven Software actively monitors email security to detect and mitigate potential threats.

7. Incident Response & Reporting
• Any suspected cybersecurity breach must be reported immediately to management.
• Raven Software provides 24/7 monitoring and supports incident response efforts, ensuring rapid identification and mitigation of threats.
• BAWCo will work with Raven Software to respond to and recover from cyber threats, ensuring minimal disruption to operations.
• In the event of a data breach, BAWCo will follow UK GDPR requirements for reporting to the Information Commissioner’s Office (ICO) and affected parties.
• Raven Software will support incident detection, response, and mitigation efforts.

8. Employee Training & Responsibilities
• All employees must stay informed about cybersecurity best practices, with guidance provided by management and Raven Software as needed.
• Employees are responsible for safeguarding company data and following this policy.
• Misuse or negligence leading to a breach may result in disciplinary action.

9. Third-Party & Supplier Security
• Vendors handling BAWCo’s data must meet cyber security standards equivalent to this policy.
• Contracts with third parties must include data protection and security clauses.

10. Review & Updates
• This policy will be reviewed annually or after any significant security incident.
• Updates will be communicated to all employees and relevant stakeholders.

Approval & Enforcement
This policy is approved by BAWCo’s Managing Director and must be followed by all employees and stakeholders to ensure strong cybersecurity practices.