While having your IT security infrastructure in place from a network and server perspective is important, perhaps one of the most critical aspects of managing your IT security is employee training. Employees are the gateway for hackers to get in and 87% of small businesses do not have any security policies in place at all. Something as simple as choosing an unsecure password, leaving a workstation logged in, or clicking the wrong link could have hackers into your network in a split second. We’re big on IT security training and policy implementation to ensure that doesn’t happen. Policies help your employees understand the expectations and give them a specified set of guidelines to help ensure that your network is protected. If you’re struggling to create a standard policy or unsure where to start, here are three technology security policies that every business should put in their employee handbook.
An e-mail policy.
It should be very clear in your e-mail portion of your employee handbook that e-mail is exclusively for business use. It should never be used to forward links, send personal files or conduct business outside of their job function. A standardized signature will help to ensure that company communications are easily identifiable. This is important from a cohesive branding perspective, but also has security value in the event that hackers attempt spearphishing. This blog offers a great example of a spearphishing campaign that attempted to steal e-mail signatures.
An internet policy.
Employees spend a lot of time online, and a lot of that time is time wasted on social media, shopping on Amazon or other websites that aren’t serving your business. While blocking websites is not possible in every environment, an internet policy can help give your employees a good set of rules that to follow when browsing. Some basics to include in your internet policy:
- The internet is for business purposes only, and should not be used to personal use. (This is can be difficult to avoid, but if there is a set policy, it can greatly reduce personal use.)
- Unauthorized downloads are prohibited. (This includes music, files, games, data or other programs).
- Access to personal e-mail accounts should not be done through company devices.
In addition to these items, you should also educate them on browsing best practices and the dangers of connecting to public wifi.
A network or data policy.
In order to reduce or prevent employees stealing data or taking data home to be worked on, it’s important that you specify that any data on the workstation is the property of your business and should not be copied or removed without authorization.
A password policy.
Employees should have a good understanding of password best practices when it comes to creating passwords for their user accounts. Employees should avoid passwords that include consecutive numbers or letters or use the word “password”. It’s important to maintain complex passwords with a special character, varying lower and upper case letters and numbers.
Maintaining the security of your data and network is everyone’s responsibility. While your IT provider will help put the basic parameters in place from a technology perspective, the better educated your employees are on technology security, the more likely you are to protected. Having policies and guidelines in place give your employees a set of rules to follow and will help avoid security holes that are common in many organizations that don’t implement policies.