In our experience, we find that many startups and small businesses choose not to implement IT policies.
The reason given include:
- It’s too formal.
- We are so small we aren’t at risk.
- Mentioning what’s expected of new starters at induction is “good enough”.
This is a mistake!
Making assumptions that your new starters “get it”, possibly by osmosis, puts an unfair expectation on them when some straightforward and easy-to-grasp policy documents make it a doddle.
Not having policies could give you a legal headache to contend with, in the event of a breach, and you are subsequently sued.
Take social media for example.
A huge majority of employees access their own social media accounts at work, on their work devices. Employee-productivity aside, no policy on what is or isn’t acceptable at work puts you and your team in an awkward position.
IT policies are a crucial part of protecting your company’s intellectual property and assets. And what’s more, they only need to be written once and then broadcast throughout the company, and can easily be implemented in your company’s new starter onboarding process.
SIX Key Policies:
1. Password Security Policy
Poor passwords and poor password hygiene are probably the most common breach vector: an easy-to-guess or commonly used password is one of the most likely ways bad guys get into your systems.
A password security policy will provide your team with a framework for handling their login passwords.
It should include things like:
- How long passwords should be.
- How to construct passwords (e.g., using at least one number and symbol).
- Where and how to store passwords.
- The use of multi-factor authentication (if it’s required).
- How often to change passwords.
2. Acceptable Use Policy (AUP)
The Acceptable Use Policy is a “catch-all” policy, including how to properly use technology and data in your organisation. This policy will govern things like device security. For example, you may need employees to keep devices updated. If this is the case, you should include that in this policy.
Another thing to include in your AUP would be where it is acceptable to use company devices. You may also restrict remote employees from sharing work devices with family members.
Data is another area of the AUP. It should dictate how to store and handle data. The policy might require an encrypted environment for security.
3. Cloud & App Use Policy
The use of unauthorised cloud applications by employees has become a big problem: for example, a team member uses a personal Dropbox account on their work device and use it to transfer work documents so they can work on it at the weekend. This is a real security risk, as the employer does not know what other data is in the Dropbox account, nor who else accesses it. Often, employees use cloud apps on their own because they don’t know any better as they do not realise the risks
A list of approved apps and not approved ways of accessing personal data from work devices removes assumptions and clarifies to everyone what is good practice. Simple.
4. Personal devices Policy
This is also known as Bring Your Own Device (BYOD)
This can be very risky for business IT security. The device may have: several logins, unapproved apps that may compromise security, and pre-existing security exploits that may give a hacker access to a company’s assets once the employee logs into the company network.
Employee devices may be vulnerable to attack if the operating system isn’t updated.
Lack of clarity regarding compensation for the use of personal devices at work.
The BYOD policy clarifies all of this. including the required security of those devices. It may also note the required installation of an endpoint management app which may not be acceptable to the employee but again, having this policy makes it clear (and fair) for all parties.
5. Wi-Fi Use Policy
Public Wi-Fi is an issue when it comes to cybersecurity. Many employees won’t think twice about logging in to a company app or email account because they don’t realise or haven’t been told this is a risk. This could expose those credentials and lead to a breach of your company network.
Your Wi-Fi use policy will explain how employees are to ensure they have safe connections. It may dictate the use of a company VPN. Your policy may also restrict the activities employees can do when on public Wi-Fi such as logging into restricted sites or making payments.
6. Social Media Use Policy
With social media use at work so common, it’s important to address it. Otherwise, endless scrolling and posting could steal hours of productivity every week. As well as employees sharing information that they shouldn’t, because they have not been warned of the consequences.
Include details in your social media policy, such as:
• Restricting when employees can access personal social media
• Restricting what employees can post about the company
• Noting “safe selfie zones” or facility areas that are not okay for public images
Do you need help to implement these IT Policies?