IT Policies That Every Small Business Should Have
When small businesses are first starting out, many haven’t yet come up with policies on things like handling email or online internet use during work hours.
But as employees are added and their company grows, not having use and security policies in place for things like email, internet, and computers/devices, can cause them all kinds of issues.
For example, 77% of employees access their social media accounts while at work, and 19% average 1 full hour a day spent on social media instead of working.
This often happens because there aren’t specific guidelines in place that tell employees what the company policy is when it comes to internet use while on the clock.
Beyond the productivity costs, your data security is at risk if you haven’t established specific company policies related to things like where sensitive files can be stored or how to handle unsecure Wi-Fi when accessing company data away from the office.
For Sydney area businesses wondering how to get started with IT policies, we’ve put together some of the most important technology-related policies that every small business should have in place for their team.
Planning Your Small Business IT Policy
IT policies govern multiple areas of how technology and data are handled within your organisation. They cover everything from use of work email for personal reasons to how a new user is provisioned a computer or tablet.
Small businesses may not have hundreds of employees to govern, but technology use and security can still quickly get out of hand if you don’t have written technology procedures and policies in place that employees can be trained on and can refer to as needed.
Here are some of the most important IT policies to have in place at your office.
Security & Data Handing
Between 1 April to 30 June of 2019, the Office of the Australian Information Commissioner (OAIC) received 245 data breach notifications and 34% of them were due to human error.
One of the most important IT policies you need is on cybersecurity and how employees are to handle data. This includes compliance with data privacy regulations.
Some policy examples that could be included with IT security requirements are:
- All employees must use our password generator to create a strong password for all company logins.
- Laptops and other company mobile devices must be signed out by each employee.
- Company computers are not to be used to create or store personal files without written permission by their manager.
- Employees must use the company supplied Virtual Private Network (VPN) to connect to business applications when not on the company’s on-premises Wi-Fi.
Security policies should cover the following areas:
- How device security is handled (patches, antivirus, etc.)
- How network security is handled (firewall)
- Relationships with managed IT service providers
- Physical device and screen security
- Password management
- Mobile device security
- How security awareness training is handled
Can an employee use company email to send out a personal request for a child’s fundraiser? Are they allowed to add their company email account to their personal PC to check email at home?
These are just a couple of the questions that you’ll want to address in your email use policy.
You may want to have employees only access their email on a company-approved device or cloud-based interface rather than risk having sensitive company information stored on an unsecure personal computer. Or you might be fine with someone wanting to check email from their home computer.
Whichever you decide, that, along with other email handling policies, should be written down so employees know what to do.
A big productivity drain in certain offices is personal internet use at work. This can be going online to check social media or doing some online shopping during working hours.
While most good employees know instinctively that these types of activities would be frowned upon at work, it’s a good idea to clearly lay out your policies for internet use so everyone knows what they are.
This could include things like:
- Use of social media sites
- Online shopping
- Approved and non-approved sites to visit while on the company network
- Approved browsers and extensions that can be used
- Whether employees are allowed to save company passwords in a browser
Many companies save themselves time and frustration by using a web protection tool that allows them to automatically block access from the company network to certain dangerous or unproductive websites.
Device Provisioning and Use
If you’re reusing a computer from the accounting department for a new marketing employee, what happens to any confidential company data or accounting information on that device?
An IT policy related to device use and provisioning can help clarify that managers should ensure a device is fully backed up and then cleaned of data before provisioning it to a new employee. This can both reduce security risk and risk of data loss.
Device related policies should include things like:
- How and where a device should be backed up
- Who is responsible for a company-issued laptop or mobile device if lost, damaged, or stolen
- How devices are to be secured (physically and via screen locks)
- Which devices can and cannot be taken out of the office
- What applications can and cannot be downloaded onto company devices
Automate IT Policies with a Managed IT Services Plan!
Small businesses can reduce the administrative burden of enforcing IT policies by signing up for managed IT services with GKM2. Our security services include web protection (allowing you to natively block websites based on categories with the database updated daily), patch and update management, and much more.
Contact us today for a free consultation. Call +61 2 9161 7171 or reach out online.