IT Security Policies for Your Small Business
everyone accesses the internet via multiple devices, some personal and some owned by your business, it is important to establish IT Security Policies. IT Security Policies set expectations for how your employees are expected to use and interact with your computers, information systems, and network. Without clear expectations, inappropriate or uninformed employee usage can result in lost productivity, data loss, exposure to viruses and cyber-attacks, and even increase the risk of lawsuits.
Setting policies that work with your business begins with identifying what assets and information you want to protect. This may include computers, mobile devices, HR and payroll systems, customer data including payment and personal information, and proprietary business information. Once you’ve identified the assets and information that need protecting, identify who should have access to that information and establish guidelines for usage.
common IT Security Policies that small and medium businesses implement:
Corporate Devices Policy
Personal Devices Policy
Data Security and Transfer Guidelines
Training Requirements
Physical Security
Password Policy
Internet Use Policy
Email Use Policy
Establish policies that guide employees to secure laptops and devices, when they are in and out of office. A company laptop sitting on the passenger seat of a car is attractive to a thief and they could cause significant damage to your business if that laptop and account have access to confidential information. In the office, employees should be in the habit of screen locking their computers whenever they leave their desk – a customer or service employee in the building should not be able to walk up to an unattended computer and access your databases and information.
Physical Security
Set clear policies on password strength, expiration, and sharing. Password strength refers to the complexity of passwords and most websites today will enforce choosing passwords with a combination of uppercase, lowercase, numeric and special characters. Once you have identified the requirements for password complexity that work across your IT systems, share these guidelines with your employees so that they are prepared.
Passwords should be changed periodically to reduce the risk of old passwords being shared or cracked. An example company policy may require employees to update their account password every three months.
Password Policy
This policy helps employees know what behavior is permitted or prohibited on company owned computers, devices, and networks. These guidelines address personal use, social media, and unapproved software. Installing unapproved software can result in accidentally installing malware or unlicensed copies of software. Policies should identify which software can be installed and how to request exceptions to install nonstandard programs that the employee uses to do their job.
Internet Use Policy
This policy helps employees know what behavior is permitted or prohibited when using their company provided email account and system. Using their company email to conduct unrelated commercial activity and other misuse of their business email address can increase legal and security risks for your business.
Email Use Policy
These policies govern the use and monitoring of corporate owned computers and devices. Guidance on what may be installed on these systems, how employees may use them, and whether they have an expectation to privacy on these devices should be communicated up front. This policy informs employees on what they should do in the event of a lost or stolen company device.
Corporate Devices Policy
Use this policy to identify the types of devices permitted, what security measures and prerequisites are required for employee devices to be approved, and what employees should do if their devices are lost, stolen, or compromised.
If your company does have a Mobile Device Management solution and enrolls personal devices in this program, inform your employees in your written policy when their device might be accessed, and under what circumstances data might be deleted on that device.
Personal Devices Policy
Set policies that define if business data can be transferred via external networks or only on the company’s network. Determine if your business will allow removable media including USB keys to transfer data between employees or external parties. USB keys can store large amounts of data but can be easily misplaced. Shared drives including DropBox, Google Drive, and Apple iCloudDrive can facilitate sharing data and improve productivity if your policies define permissible use.
Data Security and Transfer
Defining and writing policies is the first step, but they will not guide behavior unless your employees are informed of new policies, updates, and trained to follow them. Policies must have clearly defined consequences for violations, from verbal and written disciplinary action up to and including dismissal for malicious or repeat offenders. Include training for new employees and annual training for existing employees as part of your adoption plan.
Training Policy