Big or small, every business needs to have a set of Policies & Procedures (P&P) in place – and they must enforce them. A gardener who works his schedule of homes with a helper has them – even if they are not written. There are instructions for how to use and store tools, and how to interact with customers at the homes they visit.
While more official, written P&Ps are crucial to massive corporations with huge Human Resources Departments, many Small & Mid-size Businesses (SMBs) do not bother. Perhaps they feel that, since they’re small, they don’t want to impose such formalities for fear that such P&P might disrupt the ‘boutique’ nature their office.
This thinking is just plain wrong. In California, there are mandates in place concerning Sexual Harassment Training for companies with five or more employees, but it does not enforce harassment policies in a business. The lack of enforcement can easily lead to sexual harassment litigation. P&P are equally important when it comes to network and internet access.
If a CEO thinks that a lack of formalized IT P&P is harmless, he/she is leaving their company open to law suits and governmental fines or penalties levied in accordance with the CCPA (California Consumer Privacy Act) regulations.
These CCPA noncompliance penalties can be quite substantial, ranging from $100 to $750 PER INCIDENT. Let’s do some math: if you have a data breach affecting 100 clients, you stand to be fined between $10,000 and $75,000, depending on the severity of the noncompliance, which is based on a range from an inadvertent error to a willful disregard for regulations. Add to that the civil litigation from clients whose confidential information became public due to company negligence, and you are easily talking about a devastating financial impact.
It's not enough to simply have top-notch IT support and next-generation Cybersecurity in place. The Policies and Procedures a company should have in place also deal with employee productivity and end users interaction with, and use of, the network and internet. The following are concerned solely with IT policies:
What is in an IT policy?
These basic six policies should be included:
1) Password Security Policy
CloudNine states that 81% of hacking-related data breaches use stolen or weak passwords. Consider this: THE most used password in the world (by far) is ‘123456’. It takes ZERO seconds for a hacker to break that – it is the first thing they try. Network access should be dependent on minimum standards for password creation. For example, a minimum of 10 characters which must have upper and lower case letters, numbers and symbols.
The policy should also include mandates for employee education, use of a Password Manager, Multi-Factor Authentication (MFA), and a set time frame when passwords must be changed.
2) Acceptable Use Policy (AUP)
Don’t just throw together an Acceptable Use Policy. It needs to be comprehensive, including how to properly use technology and data in the organization. It will also govern things like device security, such as requiring employees to keep devices updated as well as where company devices are allowed to be used. Employees sharing work devices with non-employees should be expressly forbidden.
The AUP should dictate how to store and manage data properly. It is wise that this policy require encryption for security.
3) Bring Your Own Device (BYOD) Policy
The BYOD approach is the norm in business, especially in small businesses. Zippia estimates that about 75% of employees use their personal smart phones for work. This saves companies money, but it can also cause Cybersecurity issues if a clear BYOD policy is not in place.
Cybersecurity measures must be required if a personal device can access the office network, as well as the installation of an endpoint management app. The manner and amount to which employees are compensated for the business use of personal devices varies among employers, but this needs to be included – as well as mandates for keeping the device’s Operating System (OS) and apps pertinent to the business updated when updates are available.
Simply put, your IT support may not be aware of these unauthorized apps until they cause a Cybersecurity problem.
4) Cloud & App Use Policy
Across the board, a growing problem is the use of unauthorized cloud applications by employees, and this needs to be addressed. CloudCodes estimates that the use of this ‘Shadow IT’ ranges from 30% to 60% of a company’s cloud use.
Employees download and use unauthorized cloud apps to make their work easier, unaware of the security risk implicit in the use of unapproved apps. Employees don’t necessarily know that this is forbidden, so it must be written into the policy.
5) Wi-Fi Use Policy
Public W-Fi is always a danger, as hackers lurk there – where login credentials can easily be stolen. In a survey performed by Spiceworks, 61% of respondents said that employees connect to public Wi-Fi for business, whether the device is personal or company owned.
A good Wi-Fi use policy needs to dictate what employees must do to ensure they have safe connections. It is advisable that the use of a company VPN (Virtual Private Network) be installed. The policy may also restrict what activities employees can and can’t do when on public Wi-Fi. The smart money is to forbid entering passwords or payment card details into a form in such a an insecure environment.
6) Social Media Use Policy
Social Media can be a drain on productivity, so you don’t want employees fooling around there all day, but when using it for business, like with LinkedIn or Facebook, it must be addressed.
These details should be included in your social media policy:
- Restricting when and how much time employees can spend on personal social media.
- Restricting company information employees can post.
- Identifying “safe/unsafe selfie zones” or facility areas that should not be posted anywhere.
Frequently Asked Questions
Who sets the policy?
A: This falls into the arena of executive management, but with input and cooperation from the company’s IT services.
How are organizational policies enforced?
A: When it comes to IT issues, the IT services department or outsourced Managed Services Provider (MSP) would monitor network/internet usage and then report violations to management for assessment. Generally, it falls upon Human Resources (HR) to speak with the offender and impose any penalties for non-adherence.
Is a VPN Good for Public WiFi?
A: Absolutely. It encrypts your internet traffic and renders you anonymous when accessing the web on public Wi-Fi. Still, using public Wi-Fi should be avoided as a general rule.
Are BYOD stipends taxable?
A: While we at ITFirm.com are not tax accountants or attorneys, it is our understanding that the compensation your company provides for using your personal device for work is a company business expense and does not need to be claimed as income. Check with your tax professional.
How secure is your network?
As a longstanding, reputable member of the Charlotte IT Support community, ITFirm.com offers a FREE, no-risk network and security assessment. We perform a non-intrusive scan that allows us to deliver a comprehensive report of the state of your system and its vulnerabilities that is yours to keep. There are no strings attached, and you are under no obligation ever to use our IT services.
The two best defenses are next-generation Cybersecurity to protect your data from theft, and a top-notch Managed Services Provider to ensure continued reliability and defenses against newly emerging threats.
We put our 100% Money Back Guarantee in writing, so there is no risk in trying us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.
Among the Managed IT services we provide:
IT HelpDesk Service
Onsite IT Support
Cybersecurity
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)
Need input in putting together IT policies?
Contact us today! We have either helped or actually written IT policies and procedures for many types of companies. For more information, or to receive your FREE no-risk network and Cybersecurity assessment, just fill out the form on this page or call us at:
704-565-9705
