If your Cyber Security policies and procedures are not clearly documented, you will struggle to enforce them. Your staff may not know what steps are involved or what the purpose of the whole process is. There will be no buy-in from their side. For instance, if you don’t have an Acceptable Use Policy for your VPN in writing, your employees may end up using it for non-work purposes.