Technology is a vital aspect of society and is involved in nearly every type of industry and business today. It's hard for most people to go for an hour, let alone a day, without looking at their cell phones.
Although the digital explosion has been great for connecting anytime, anywhere, there are inherent security risks involved with technology.
With so many people using computers and other devices to get the job done, some boundaries need to be established on what employees can or can't do on a business-connected device, on a personal device while interacting with business data, or on your business network with a personal device.
To instill a risk management culture, businesses need to incorporate an acceptable use policy to teach employees how to be safe while connected.
This article outlines the specifics of an acceptable use policy and how to effectively implement one.
What Is an Acceptable Use Policy?
An acceptable use policy is a set of rules that indicate what end users can or can't do with their business-related technology and data.
It generally requires some form of acknowledgment from employees that they adequately understand the rules before being officially logged into your systems. These include potential consequences for a violation, banned websites, etc.
A good policy provides a clear outline of the rules, as well as provides a rationale for their existence. Clear and logical rules make it easier for employees to buy into them without viewing them as arbitrary or unreasonable.
It may seem daunting on the surface, but it doesn't have to be complicated.
What Should an Acceptable Use Policy Contain?
An acceptable use policy is different for many businesses across varying industries. No two programs are the same, which is why you need to create one unique to your business.
Ask yourself, "what are the consequences if there was a security breach?"
Your policy should highlight the key issues that present themselves and the consequences that could occur. For instance, if your company handles Social Security information, you want to ensure that information is always protected.
Conversely, you don't want policies that are too restrictive.
Sure, you could limit internet access to a select few websites, but that's impractical. Not to mention, if employees find the measures unreasonable, they'll find ways to work around them. Nobody wants that.
Even though all businesses implement different rules and security measures, there are a few crucial areas all acceptable use policies should address.
Companies should be asking, "which websites should we prohibit during the workday?" Of course, every company will differ slightly on the question. You may also ask, "which internet activities should always be prohibited on company networks?"
There are some obvious answers as well as some not-so-obvious ones. Some departments may need more access than others. It all depends.
Some of the more common website restrictions include:
- Social media sites: Facebook, Instagram, Twitter, Reddit, Pinterest
- Video/music streaming sites: YouTube, Spotify, Pandora, Apple Music, Vimeo
- Shopping/e-commerce sites: Amazon, eBay, Alibaba, Etsy, Overstock
- Job-hunting sites: ZipRecruiter, Indeed, Monster, Snagajob
- News sites: MSN, Fox, CNBC, CNN, TIME, USA, Yahoo, BuzzFeed, NBC, etc.
- Personal email accounts: Yahoo, Gmail, AOL, Hotmail
- Pornography, gambling, or any illegal website
Companies have a lot of sensitive and confidential data. Your staff must know your organization cares about protecting its data. All employee, client, service, product, or any other business information must be handled with the utmost care.
First, you need to identify where the confidential data is in your business.
Then, you need to explain the proper standards for sharing, handling, assessing, and storing the information.
(Side note: Make sure you have good backups in place where that information is stored so you never lose your data.)
Security should be a top priority for companies, especially since cyber attacks continue to rise. However, each company has its own security needs.
There are an infinite number of security policies companies could implement Here are some of the best practices many companies include:
- No public WiFi use on business devices
- Never, under any circumstance, should employees share company passwords
- Passwords should be updated at the company's set frequency, and they should follow the guidelines to a secure password
- Have a routine schedule for anti-malware, antivirus, and company software updates
- Never open suspicious email links or attachments. If a suspicious email is spotted, notify your IT team immediately. Do not forward or reply to it.
- Enable multi-factor authentication for all apps and programs that support it
- Keep all devices up to date with the latest security updates -- computers, laptops, cell phones, tablets, routers, software, etc.
- Disable social media websites unless it is for business purposes. Many social media sites contain malware and phishing scams.
You should also define standards for home networks if your employees are working remotely. A good example of this would be to make sure the router's password has been changed from the manufacturer's default password.
Cyber Incident Response Plan
No business is perfect. Even with an acceptable use policy and ongoing security awareness training, things happen. Hackers are crafty and continue to find the smallest of cracks in company's systems. That crack could even be a customer's system -- like how Target was breached through their HVAC vendor.
If something were to happen, there needs to be a response plan.
What should employees do? Who should they notify? If it's a major breach, who else should be notified? When should you call insurance? At what point do you call in forensic security experts?
These are all things to work up with your IT, legal, and insurance teams in advance -- that way you're prepared if the situation occurs.
Also, employees need to know there will not be retaliation for reporting a potential security incident. A problem will only get worse if employees are afraid to come forward.
Mistakes happen, and your business stands a better chance at a quick recovery if employees report the incident quickly.
Why You Need an Acceptable Use Policy
Having an acceptable use policy both educates your employees and protects your business. And with the COVID-19 pandemic, many individuals are working remotely, using home networks to process sensitive business data, which is why having one is even more essential today.
An acceptable use policy is only one component of a comprehensive security plan. Although having one is a good start, security is all about layers.
At VC3, we specialize in helping organizations reduce their risk through advanced cybersecurity solutions and IT support services.
If you're uncomfortable with your organization's security posture (or if you aren't confident in how tight that posture is), reach out to us anytime. We'd be happy to chat through your situation and provide a free cyber security assessment, whether you decide to work with us in the future or not.