Establish policies that guide employees to secure laptops and devices, when they are in and out of office. A company laptop sitting on the passenger seat of a car is attractive to a thief and they could cause significant damage to your business if that laptop and account have access to confidential information. In the office, employees should be in the habit of screen locking their computers whenever they leave their desk – a customer or service employee in the building should not be able to walk up to an unattended computer and access your databases and information.

Set clear policies on password strength, expiration, and sharing. Password strength refers to the complexity of passwords and most websites today will enforce choosing passwords with a combination of uppercase, lowercase, numeric and special characters. Once you have identified the requirements for password complexity that work across your IT systems, share these guidelines with your employees so that they are prepared.

Passwords should be changed periodically to reduce the risk of old passwords being shared or cracked. An example company policy may require employees to update their account password every three months.

This policy helps employees know what behavior is permitted or prohibited on company owned computers, devices, and networks. These guidelines address personal use, social media, and unapproved software. Installing unapproved software can result in accidentally installing malware or unlicensed copies of software. Policies should identify which software can be installed and how to request exceptions to install nonstandard programs that the employee uses to do their job.

This policy helps employees know what behavior is permitted or prohibited when using their company provided email account and system. Using their company email to conduct unrelated commercial activity and other misuse of their business email address can increase legal and security risks for your business.

These policies govern the use and monitoring of corporate owned computers and devices. Guidance on what may be installed on these systems, how employees may use them, and whether they have an expectation to privacy on these devices should be communicated up front. This policy informs employees on what they should do in the event of a lost or stolen company device.

Use this policy to identify the types of devices permitted, what security measures and prerequisites are required for employee devices to be approved, and what employees should do if their devices are lost, stolen, or compromised.

If your company does have a Mobile Device Management solution and enrolls personal devices in this program, inform your employees in your written policy when their device might be accessed, and under what circumstances data might be deleted on that device.

Set policies that define if business data can be transferred via external networks or only on the company’s network. Determine if your business will allow removable media including USB keys to transfer data between employees or external parties. USB keys can store large amounts of data but can be easily misplaced. Shared drives including DropBox, Google Drive, and Apple iCloudDrive can facilitate sharing data and improve productivity if your policies define permissible use.

Defining and writing policies is the first step, but they will not guide behavior unless your employees are informed of new policies, updates, and trained to follow them. Policies must have clearly defined consequences for violations, from verbal and written disciplinary action up to and including dismissal for malicious or repeat offenders. Include training for new employees and annual training for existing employees as part of your adoption plan.