Adopt an Acceptable Use Policy: Help Your Employees Keep Your Network Safe
Just how important is drafting and adopting an acceptable use policy? It could mean the difference between employee compliance and unintentionally negligent online behavior.
Giving your employees a sleek new laptop, top of the line mobile device, and a shiny new workstation is a natural part of life for small to medium sized business owners. While most employees will never knowingly engage in behaviors that put your network at risk, there is always the chance that their online presence can open doors for hackers to enter your network unchecked. Adopting an acceptable use policy is a way to make sure your employees use their company-issued devices for work rather than watching cat videos on You Tube, shopping the best online deals, and going places online that place your network at risk.
An acceptable use policy is a way to remind your employees that, while at work, their online activities may be monitored and that when your teams are working on company-issued devices, their activities are not necessarily private. While these “spy powers” should never be abused, they should be taken very seriously by everyone in your work force. You may feel there is a certain line that shouldn’t be crossed, but in today’s ever-evolving world of cybercrime it’s imperative that you rein in unwanted and potentially risky online behaviors. Special precautions must be taken to protect your devices, your Wi-Fi connections, and your network from accidental employee negligence.
You won’t be alone in monitoring your employees’ online presence. It’s estimated that 80% of businesses keep track of employees’ usage of the internet, from browsing to checking personal emails. Not only do these companies drastically reduce the chances of a cyberattack, they find that monitoring internet usage for employees increases productivity as well.
What is an Acceptable Use Policy?
An acceptable use policy is a written document that outlines acceptable and unacceptable behaviors for employees using work-issued devices. It is also known as an “acceptable usage policy” or a “Fair use policy.”
An acceptable usage policy is drafted by IT administrators, business owners or other administrative officers to clearly define the use of devices issued by the company. The document will cover online activities, phone usage guidelines, private email use and more.
Drafting Your Acceptable Use Policy
Your acceptable usage policy should contain five key points.
1. An introduction to the document: This preamble will explain why the policy is being adopted and the end goals of the policy.
2. Terminology: This section will define key terms that will be used throughout the document. It takes the guesswork out of vague terms that could be considered “loopholes” for employees.
3. Scope of the Document: This section covers who must adhere to the policy. Make sure to incorporate everyone that has access to work-issued devices, such as:
- Full time employees
- Part time employees
- Independent contractors
- Remote workforces
This section might also cover specific usage times, such as whenever employees are on the clock or excluding breaks. It should be noted that to be most effective, the policy should remain in effect at any time a work device is being used regardless of whether the employee is “on duty” or not.
4. Policy: The policy is the part of the document that clearly outlines unacceptable and acceptable usage of work-issued devices. While this needs to be as comprehensive as possible, make sure you are allowing the employee access to whatever information they need to efficiently do their jobs. This is the point where you can specify what will be deemed safe online behavior and prohibit risky behaviors. Some points to include may be:
- Social media interactions
- Private email use
- Online browsing
- Using work email addresses for personal reasons
- Storing personal files on work devices
- Uploading and downloading personal files including photos and music
5. Penalties: Your teams should be aware of the potential repercussions from your company if they are found to be in breach of the acceptable usage document. You can implement a “zero-tolerance” policy, but it’s generally recommended to stick to a warning system or a “three-strike rule” when handling these incidents before taking more punitive steps.
Signing the Acceptable Usage Policy
The acceptable use document should be printed out and hand-signed by every employee within your company. A signed copy should be kept in the employee’s file.
A copy of this policy should be given to the employee as well, and a space on the original document should be provided for the employee to acknowledge physically receiving the policy.
This signature is your protection if the employee is found to be in violation of the policy, and it can help limit your liability in case of a data breach caused by employee negligence. While you will still be responsible for the breach, it is valuable to prove that you have an acceptable use policy in place, signed by all employees and enforced company wide.
Small to Medium Sized Companies Need Acceptable Use Policies
You may be thinking that your business is too small to need an acceptable use policy. Keep in mind that small to medium sized businesses make up nearly half of all cybercriminal activity. Then, consider that many data breaches are due to employee negligence in some form or another, with an estimated 92% of malware being installed via email.
An acceptable use policy will help reduce the possibility of an employee accidentally unleashing malware while performing “unsanctioned” online activity.
Remember that an acceptable usage policy not only reduces your threats, it also boosts employee productivity. That’s a good thing, no matter the size of your business.
Legal Considerations When Drafting an Acceptable Usage Policy
There are always legal considerations in every move you make as a business owner and adopting an acceptable use policy has a few of these as well.
- Federal data privacy laws: If your industry is governed by specific rules and regulations, make sure they are incorporated into your acceptable use document. One example would be HIPAA regulations for the healthcare industry.
- State data security regulations: Make sure your acceptable use policy covers any state laws regarding data privacy and security.
- Jurisdiction: Plainly outline in your document where and when the policy applies, such as during work hours only or any time the work-issued device is used.
- Individual responsibility: Individuals must understand that they will be held accountable for any damages incurred as a result of not following the acceptable usage policy.
- Applicable monitoring laws or requirements: There may be local laws or considerations when you are drafting your acceptable use document. Your employees may be unionized, for instance, which can dictate the amount of monitoring allowed in the workplace. Some monitoring activities are limited by state and federal laws. Some types of monitoring may even violate the Fourth Amendment of the Constitution. Make sure that your monitoring activities are well within the legal limits.
Enforcing Your Acceptable Use Policy
You are within your rights to enforce the acceptable use policy. Remember that you own the equipment and the network, giving you the authority to decide how it is used. An acceptable use policy will clearly state how you can monitor the rules you set within the document, if they are within the law.
BYOD Acceptable Use Policies
If your workforce uses a BYOD (Bring Your Own Device) operating model, you are more limited in what you can legally include in your acceptable usage document. In these cases, the policy may focus on things such as:
- Outlining who, other than the user, can use the device once proprietary information has been installed
- Guidelines for reporting lost or stolen personal devices
- Inappropriate postings, downloads and uploads and other content while on the company network
- Expectations following the employee’s separation from the company
Enforcing the policy becomes a little trickier here, so make sure to check all the legal implications of creating this policy for your BYOD workforce before implementing it in your workforce.
Acceptable Use Policies Can Lower Your Liabilities
Risky online computer behavior can take many forms. Just a few examples include:
- Downloading illegal files
- Illegal activities
- Industry violations such as HIPAA or SOX
- Uploading offensive content to sites
- Clicking risky links
Having an acceptable use policy provides you with a limited safety net. It may not remove liability from your organization completely, but the courts will be far more understanding if you can produce a signed acceptable usage policy in the case of criminal activity, industry violations, or data breaches. The acceptable use document proves that your company took steps to address potential online offenses in advance of an incident.
Adopting an Acceptable Usage Policy as Part of Your Cybersecurity Awareness Training
Since all employees should take a cybersecurity awareness training class, this becomes the perfect platform for introducing the acceptable use policy to your workforce. A clearly defined acceptable use policy is more effective when it’s presented as a module in your company’s training classes. When your document is introduced this way, it:
- Reminds employees why the acceptable usage policy is necessary
- Removes the “responsibility” for implementing the policy from your administration department
- Covers each topic in the policy at length, allowing a deeper understanding of the policy
- Allows employees to ask questions or address concerns before signing the document
- Can be routinely updated with each cybersecurity awareness class refresher
Whether you have an existing policy that needs to be updated or you are interested in drafting a new policy for your company, Iconic IT can help. Iconic IT can guide you in drafting and launching your acceptable use policy ensuring it is compliant with laws, complete, and easily understood by your workforce.
Contact Iconic IT for a free, no obligation consultation and let us help you write and implement a comprehensive acceptable usage policy for your company today.
About Iconic IT
Iconic IT provides the technology services that small to medium-sized businesses need to survive and thrive with a “no surprises” flat fee. We offer cloud-based solutions, a cutting-edge cybersecurity platform, and fully managed or co-managed computer IT support options. Our focus is on providing highly responsive computer IT support and strategic guidance to help our clients achieve their goals.