If you don’t direct your team on the proper use of technology at work, then people are bound to make up their own rules. The lack of having certain IT policies in place means security breaches and employee misunderstandings.
For example, most employees use their mobile devices to access business apps and data, yet approximately 61% of organisations don’t have a mobile device policy in place for BYOD (bring your own device).
No matter what size your business is, some key policies will help you put guard rails up to keep technology use from getting out of hand. They are also vital to your business continuity and IT security.
If you’re a smaller company, your policies don’t have to be as elaborate as those of large enterprise companies. But you do still need to have them so your employees will know what’s expected and can operate in a way that keeps your IT infrastructure secure and optimised.
Here are some of the key technology policies that you should have at your business if you don’t already.
BYOD (Bring Your Own Device) Policy
Mobile devices are like tiny computers and can be just as big a security risk as PCs. Many companies rely on employees using their smartphones to access work apps, email, etc. but there need to be safeguards in place, otherwise, all those endpoints constitute a big security risk.
Your BYOD policy should include details on how business data on mobile devices is to be protected. For example, safeguards might include the requirement of a screen lock, anti-malware application, and that the phone is kept updated to the latest version.
Cloud App Use Policy
The use of unauthorised cloud apps for work has become a major security problem. 80% of surveyed employees admit to using cloud apps without first getting approval.
This can mean a company has data in unsecured apps, is paying for SaaS (Software as a Service) subscriptions that are redundant, and loses access to data in a cloud account if the employee leaves the company.
Your could app use policy should outline the following:
- Apps that are acceptable to use for business data and processes
- Penalties for using unauthorised cloud apps
- The process by which an employee can recommend a cloud app for approval
- Annual employee survey on cloud use
Remote Working Policy
Just about every company now needs to have a remote working policy due to the pandemic. The number of permanent remote workers is expected to double this year, and not all companies have specific policies in place to inform their telecommuting staff of expectations.
Your remote working policy should address things like:
- Expected device security (automated updates, anti-malware, DNS filter, etc.)
- Expected network security (use of a VPN, guest network setup, etc.)
- Hours that employees are expected to work
- How employees will “report in/out” during the day
- The expectation of use for company-issued devices (e.g. can’t be used by others)
Password/Access Security Policy
Password compromise has jumped to become the most common initial attack vector, responsible for 20% of all data breaches globally.
The increase in reliance on the cloud and all those SaaS and online website accounts make password breaches a popular target of phishing campaigns.
Without direction, people will often use weak passwords that are easy for them to remember (and easy for hackers to breach), and will also reuse passwords across multiple accounts.
Your password and access security policy should include minimum security requirements for passwords. You might even require that a specific strong password generator be used.
You can also include standards for password storage, for example prohibiting the use of an unsecured spreadsheet or document to store them and instead provide a password manager that is to be used.
Acceptable Use Policy
Your acceptable use policy is an overarching policy for how employees are to use business equipment. For example, this policy might prohibit employees from downloading software on a company device without specific approval from your IT department or partner.
This policy can also dictate the websites that employees should not visit when on a company device and any web security (like a DNS filter) that needs to remain in place.
The acceptable use policy can also include required applications that employees are not to turn off or disable, such as the cloud backup or managed antivirus/anti-malware.
Incident Response Policy
An incident response policy can significantly reduce the cost of a cyberattack and the downtime associated with one. It lays out the steps that your staff should take in the event of any downtime crisis (ransomware infection, data breach, natural disaster, etc.) to get systems back up and running as fast as possible.
When a crisis event occurs, the initial first hours can be lost with employees scrambling and wondering what to do if there is no response plan in place. An incident response policy doubles as a manual to follow should an event occur, so your team can spring into action to mitigate damage and get your company operational as soon as possible.
Get Help Putting Important IT Policies & Safeguards in Place
Don’t leave your policy creation on the back burner. Not having them in place can cause you costly problems. Connected Platforms can help your Brisbane area business put IT policies together that keep you secure and optimised.
Contact us for a free consultation. Call (07) 3096 6932 or book a coffee meeting online.