Every organization has important rules. Even more importantly, they must be in writing and stringently enforced – and not on a case-by-case basis. Key executives and top producers often skirt the rules with little or no repercussions. For general Policies & Procedures (P&P), this is not good, as favoritism and unequal standards can, and usually DO, stir resentment within the work force.
Uneven application of P&P can be disastrous in regards to network Cybersecurity. The first question you should answer is: does your company have a written Acceptable Use Policy (AUP) for computer/network/internet usage? Are they comprehensive policies or just general, like ‘don’t watch porn at work’? If not, why not?
Disciplinary actions for violating general (dress code, harassment, etc.) P&P should lie within the realm of Human Resources – ultimately the network P&P boil down to one very important thing: Cybersecurity.
It is not good is it for your business if your top producer skirts authentication and security measures because they are inconvenient, especially when yet this laziness can bring about a security breach - or leaves you in non-compliance with the rules of the regulatory agency that oversees your industry.
We spoke about Insider Threats in a recent blog post. Employee negligence is the leading cause of breaches and therefore the #1 Insider Threat. The responsibility for negligent breaches falls not only upon the errant employee, but the management. When P&P are not enforced, human nature dictates the inclination that those who should take them seriously do not. When there are no Subway cops, more people jump the turnstile without paying the fare.
Who is usually responsible for the policies and procedures related to data security?
At the core, all P&P are a product of the company’s vision and goals, therefore the top executive management is ultimately responsible. The task of oversight and enforcement are delegated down to department and team management. As in many avenues, employee cooperation is a vital component – ‘Mary’ may be reticent to ‘make waves’ when another employee is engaging in harassing behavior, so it is not uncommon for such events to reported by a concerned third party.
It is not that easy with Cybersecurity - because it’s difficult to tell what P&P are being broken unless someone is looking over the shoulder of the abuser. This is where your IT people come into play, whether an in-house or outsourced. They generally function as informational, alerting management that network policy enforcement is needed, then any actions usually fall to Human Resources.
If you currently do not have a network Acceptable Use Policy (AUP), you need to create one now. Then you must implement strong and reliable enforcement procedures.
How do you set up an acceptable use policy?
Once the AUP is written, your two most important resources for its implementation are management to relay it to the staff, and your IT provider or internal IT department for the technical setup. Just from discussing this issue with other Managed Services Providers (MSPs) within the Charlotte IT community, it is clear that any MSP worth its salt will have been urging their clients to put these policies in place.
If you are still operating in the dark ages and using obsolete and unproductive ‘Break/Fix’ hourly rate ‘IT Guys’, you will probably find them less than helpful. Generally (not always), they do not have the knowledge or expertise to put together a strong policy – and they will bill you by the hour for whatever they come up with.
The simplest way is to have your Managed Services Provider produce the basic safety procedures. Once management meets with them with them in a fairly open forum to hammer out specifics, the procedures will dictate all or part of the policies. Your MSP should know your business, the varieties of sensitive data and the regulatory compliances you must meet. They should have templates available, including their own internal written policies, so this is an easy start. F5 provides an in-depth analysis of Policy Enforcement HERE.
Important general components:
Identify crucial data and accesses.
Address legal and compliance issues.
Establish a policy on the use of employee-owned devices with network access (iPhones, iPads, etc.).
Internet use in general, but especially social media.
Feedback from staff.
Each industry will have unique specifics to add to the basic template.
Conclusion
No matter what your network use policies are, they must be in writing, with signed employee acknowledgements. Most importantly, if they are not enforced, then the threats to your network will not only become more frequent, but they will also become more successful.
Frequently Asked Questions
What is an example of acceptable use policy?
A: The University of Rochester sums it up its own overview thusly: “Refrain from monopolizing systems, overloading networks with excessive data, degrading services, or wasting computer time, connection time, disk space, printer paper, manuals, or other resources.” But that is generalized – your business and its practices will require very specific ‘Dos and Don’ts’.
What is network policy enforcement?
A: The end result of the creation, management, monitoring, and execution of those written Policies and Procedures is enforcement. This AUP governs the use of a company’s computers and access to the business network or any other form of company communication.
The steps involved in enforcement vary, but generally consist of:
1) The IT person or team identifying a violation of network P&P, relating the information to management.
2) Management compares the information supplied by IT to the written P&P to ascertain that a violation has occurred. Investigation and an interview with the alleged transgressor for violation verification.
3) Referral to Human Resources for appropriate actions.
What are elements of an AUP?
A: The National Education Association lists the nuts and bolts – outlined in Education World:
A Preamble
A Definition Section
The Policy Statement
Acceptable and Unacceptable Use Sections
A Violations & Disciplinary Action Section
What are possible consequences for not following the AUP?
A: Every business will have its own levels of punishment, but it should be made clear to every employee that violations can ultimately result in suspension or termination and even criminal charges. Failures to follow the AUP can result in massive damage to the company.
How secure is your network?
As a longstanding, reputable member of the Charlotte IT Support community, ITFirm.com offers a FREE, no-risk network and security assessment. We perform a non-intrusive scan that allows us to deliver a comprehensive report of the state of your system and its vulnerabilities that is yours to keep. There are no strings attached, and you are under no obligation to ever use our IT Services.
The two best defenses are next-generation Cybersecurity to protect your data from theft, and a top-notch Managed Services Provider to ensure continued reliability and defenses against newly emerging threats.
We put our 100% Money Back Guarantee in writing, so there is no risk in trying us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.
Among the Managed IT services we provide:
IT HelpDesk Service
Onsite IT Support
Cybersecurity
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)
Planning an Office Move?
Contact us today! We have the experience to ensure a seamless transition. After the move, your employees will arrive at the new location to find their IT infrastructure ready and open for business!
For more information on office moves, or to receive your FREE no-risk network and Cybersecurity assessment, just fill out the form on this page or call us at:
704-565-9705
