Have You Implemented These Important IT Policies

Rules. Like it or not, we need rules, not just in society but in business. Every company needs to have rules governing various Policies & Procedures (P&P) in place – and enforce them. Naturally, these are crucial to massive corporations with huge Human Resources Departments, but too many Small & Mid-size Businesses (SMBs) skip this, feeling that, since they’re small, they don’t want to impose such formalities for fear that such P&P might disrupt the ‘boutique’ nature their office.

     WRONG!

Nope, that’s a big mistake at any level of business, especially when it comes to network and internet access. But P&P need to have teeth. North Carolina has a mandate in place concerning Sexual Harassment Training for companies with 3 or more employees, but it does not enforce harassment policies in a business. The lack of enforcement easily leads to sexual harassment litigation.

Now let’s talk about IT:  any CEOs who thinks that a lack of formalized IT P&P is harmless are leaving themselves open to law suits and governmental fines or penalties levied in accordance with the North Carolina Consumer Protection Act (NCCPA) regulations.

Noncompliance penalties for NCCPA violations can be quite substantial, depending on the severity of the violation, based on a range from an inadvertent error to a willful disregard for regulations. Add to that the civil litigation from clients whose confidential information became public due to company negligence.

On top of that, at the sole discretion of the NC Attorney General, an additional fine of $5,000 per violation can be levied. Let’s clarify that: say that you got hacked and 100 clients had their personal information revealed. That’s ONE HUNDRED violations, or $500,000. How many clients’ personal information do you have in your database? The AG fines kick the already high stakes into orbit.

It’s vital to have top-notch IT support and next-generation cybersecurity, but the Policies and Procedures a company should have in place also deal with employee productivity. The following are concerned solely with IT policies:

What to include in an IT policy?

The basic six ‘must have’ policies:

1: AUP (Acceptable Use Policy)

It’s crucial that the AUP is comprehensive, including how to properly use technology and data in the organization. It will also govern things like device security, such as requiring employees to keep devices updated. Where company devices are allowed to be used and forbid employees from sharing work devices with non-employees.

A solid Acceptable Use Policy should dictate how to store and manage data properly. It is wise that this policy require encryption for security.

2: Password Security Policy

Too many people are lazy – especially with passwords. According to CloudNine, 81% of hacking-related data breaches used stolen or weak passwords. Consider this: THE most used password in the world (by far) is ‘123456’. It takes ZERO seconds for a hacker to break that – it is the first thing they try.

It was just this kind of weak password that forced KNP, a 158 year-old UK transport company, to close its doors forever, with a loss of 700 jobs. The breach began with a brute-force attack against a single weak password, and when the company could not meet the ransomware demands, they simply went out of business. Don’t let this be you.

The policy should include mandates for employee education, use of a Password Manager, Multi-Factor Authentication (MFA), and a set time frame when passwords must be changed.

3: Cloud & App Use Policy

This policy focuses on the use of unauthorized cloud applications by employees, which is a growing problem. CloudCodes estimates that the use of this ‘Shadow IT’ ranges from 30% to 60% of a company’s cloud use.

‘Shadow IT’ is when employees download and use unauthorized cloud apps to make their work easier, unaware of the security risk implicit in the use of unapproved apps.  The problem is that the company’s IT support doesn’t know about these apps and cannot secure them. Often, employees don’t know that this is forbidden, so it must be written into the policy.

4: BYOD (Bring Your Own Device) Policy

While the BYOD approach is the norm in business, being cheaper for the company, it is a huge cybersecurity risk. Zippia estimates that approximately 75% of employees use their personal smart phones for work, so a clear BYOD policy needs to be in place.

If a personal device can access the office network certain cybersecurity measures must be required, as well as the installation of an endpoint management app. The manner and amount to which employees are compensated for the business use of personal devices varies among employers, but this needs to be included – as well as mandates for keeping the device’s Operating System (OS) and apps pertinent to the business are updated.

5: Wi-Fi Use Policy

In a survey performed by Spiceworks, 61% of respondents said that employees connect to public Wi-Fi for business, whether the device is personal or company owned. Public W-Fi is generally unsecure and always a danger, as hackers lurk there – where login credentials can easily be stolen

Your Wi-Fi use policy needs to dictate what employees must do to ensure they have safe connections. It is advisable that the use of a company VPN (Virtual Private Network) be installed. The policy may also restrict what activities employees can and can’t do when on public Wi-Fi. The smart money is to forbid entering passwords or payment card details into a form in such an insecure environment.

6: Social Media Use Policy

Obviously, you don’t want employees fooling around on social media all day, but when using it for business, like with LinkedIn, it must be addressed.

Some of these details should be included in your social media policy:

• Restrict when and how much time employees can spend on personal social media.
• Restrict company information employees can post.
• Identify ‘safe/unsafe selfie zones’ or facility areas that should not be posted anywhere.