Cyber Security Policy

Version: 1.0
Date: 15/03/2026
Next Review: 12 Months

1. Introduction

C Wray Ltd recognises that cyber security is essential for protecting company operations, contractor information, and client data.

As a company operating within the construction recruitment and labour supply sector, C Wray Ltd handles sensitive information including:

  • contractor identity documentation

  • qualification records

  • insurance information

  • financial invoices

  • client contact details

This Cyber Security Policy outlines the measures taken by C Wray Ltd to protect its digital systems and data from cyber threats.

The company is committed to complying with:

  • UK GDPR

  • Data Protection Act 2018

  • National Cyber Security Centre (NCSC) guidance

The aim of this policy is to protect the integrity, confidentiality and availability of company data.

2. Scope

This policy applies to:

  • Company directors

  • Administrative staff

  • Contractors accessing company systems

  • Third-party service providers

  • Any individual with access to company IT systems

This policy applies to all digital systems used by the company including:

  • laptops

  • mobile devices

  • cloud software

  • email systems

  • accounting systems

  • field management software

3. Roles and Responsibilities

Company Director

The Director of C Wray Ltd has overall responsibility for cyber security within the company.

Responsibilities include:

  • ensuring cyber security policies are implemented

  • protecting company data and contractor information

  • responding to cyber incidents

  • ensuring compliance with data protection legislation

System Administrator (Director / Appointed Person)

Responsibilities include:

  • managing user access to systems

  • ensuring systems are updated regularly

  • monitoring suspicious activity

  • managing backups and recovery systems

Staff and Contractors

All users must:

  • follow this cyber security policy

  • use secure passwords

  • report suspicious emails or activity

  • protect confidential company information

Failure to follow cyber security procedures may result in disciplinary action or termination of system access.

4. Technical Security Measures

C Wray Ltd implements the following technical safeguards.

Network Security

  • Secure internet connections

  • Firewalls where applicable

  • VPN access where remote systems are used

Anti-Virus and Malware Protection

All company devices must have:

  • up-to-date anti-virus software

  • automatic malware scanning

Software Updates

All devices must receive:

  • regular security updates

  • operating system updates

  • software patching

Cloud System Security

Cloud systems used by C Wray Ltd may include:

  • email platforms

  • cloud storage

  • accounting systems

  • contractor databases

Security measures include:

  • secure login authentication

  • restricted user access

  • encrypted data storage

Data Backups

Company data is backed up regularly to ensure recovery in the event of:

  • cyber attacks

  • accidental deletion

  • system failure

Backup procedures are tested periodically.

5. User Account Management

Access to systems is controlled using the following principles.

Password Requirements

Passwords must:

  • contain a minimum of 12 characters

  • include letters, numbers and symbols where possible

  • not be reused across multiple systems

Password guidance follows NCSC password best practice.

Access Permissions

Access to systems is granted only where required for business purposes.

For example:

Role Access:

Level:

Director Full system access

Administrative staff Limited operational access

Contractors No access to internal systems

Account Removal

User accounts must be disabled immediately when:

  • a staff member leaves

  • a contractor relationship ends

  • access is no longer required

6. Staff Training and Awareness

All staff must maintain awareness of cyber security risks.

Training topics include:

  • phishing email identification

  • password security

  • data protection responsibilities

  • safe use of company systems

Staff are encouraged to report suspicious activity immediately.

7. Incident Response Plan

If a cyber security incident occurs, the following steps must be taken.

1. Identify the Incident

Examples include:

  • phishing attacks

  • malware infection

  • unauthorised system access

  • data breaches

2. Report the Incident

Incidents must be reported immediately to:

Company Director – C Wray Ltd

3. Contain the Threat

Actions may include:

  • disconnecting affected devices

  • changing passwords

  • restricting system access

4. Investigate the Incident

The company will assess:

  • how the breach occurred

  • which systems were affected

  • whether personal data was compromised

5. Notify Authorities (if required)

Where required under UK GDPR, data breaches may be reported to:

  • the Information Commissioner’s Office (ICO)

6. Post-Incident Review

Following any cyber incident:

  • procedures will be reviewed

  • security improvements will be implemented

8. Data Protection

C Wray Ltd processes personal data relating to:

  • contractors

  • employees

  • clients

  • business contacts

All personal data must be:

  • collected lawfully

  • stored securely

  • only accessed where necessary

  • retained only for required periods

Sensitive documents such as:

  • identity documents

  • qualifications

  • insurance certificates

must be stored securely.

9. Compliance and Auditing

C Wray Ltd will periodically review its cyber security practices.

This may include:

  • reviewing access permissions

  • reviewing password policies

  • monitoring system activity

  • testing data backup procedures

Where necessary the company may seek external cyber security advice.

10. Policy Review

This policy will be reviewed annually to ensure it reflects:

  • changes in cyber threats

  • new technology systems

  • regulatory requirements

Signed:

Director – C Wray Ltd

Date: _15_03_2026__

Next Review Date: _15_03_2026__