The rapid shift to remote working driven by the COVID-19 pandemic has brought increased cybersecurity risks and attacks. Having the right security policies in place—and consistently enforcing them—can help keep your organization safe. One key priority that companies should have is put in place effective acceptable use policies for workplace technology.
What is an acceptable use policy?
An acceptable use policy sets clear boundaries on behavior for using company resources and data. A strong policy, reinforced with user training, can help create a secure foundation for your organization.
Responsibility for developing, delivering and enforcing the acceptable use policy should be shared between HR, legal, IT security, and IT support stakeholders. The policy helps limit insider threat risk—the risk from actions of employees, consumers, contractors and vendors. Anyone permitted to interact with your company’s IT infrastructure should know exactly what is expected of them—and what is forbidden—through the policy.
Operating without a clear acceptable use policy can increase risk of things like:
- Accidental data breaches—e.g. sensitive data leaking outside your organization because employees copied it to their personal cloud storage accounts.
- Business operations disruption—e.g. data loss and disabled networks because inappropriate web browsing introduced ransomware.
- Reputational damage—data breaches that become public can harm brand and investor confidence especially if the breach was easily avoidable.
What should an acceptable use policy cover?
Comprehensiveness and clarity are the two things to focus on in an acceptable use policy. You have to think through the technologies that users interface with, the services they use, and the misuse and mistakes that can happen. You also have to think through how users will understand the policy and its application. You want to encourage acceptance, and reporting of violations by all users—not just ordinary employees. Risk won’t be reduced if users aren’t complying and supporting compliance. The following are recommendations for a robust policy.
Cover both inadvertent and intentional actions of users
Use clear, plain language to promote understanding and acceptance. Things that might not be permitted include:
- Checking personal emails using a work computer—this could introduce an unmonitored attack vector for phishing, ransomware and other malware.
- Storing company data on personal storage—data breaches or theft may occur from poorly secured or maliciously used personal storage accounts.
It can also help to offer examples of permitted alternatives
This is important where corporate assets are not used solely for business purposes, or where employees might expect some leeway in internet usage and time management. Examples:
- Using a company smartphone to check the weather on the way to a meeting. No-one wants to get caught in the rain.
- Reading the headlines of a popular news site during a lunch break. Reputable mainstream new sites tend to be relatively low-risk.
Make clear how policy compliance is monitored and enforced
It could include an anonymous tip-line, random audits, web proxy logging, etc. Knowing that compliance is monitored encourages voluntary reporting, and it can deter violations.
Cover every user
Too many organizations grant exceptions to management and leadership. However, attackers need only one weak point to gain entry, and common gaps and mistakes make it easy for them. Additionally, users are less likely to report policy violations if they’ve seen prior violations go unaddressed.
Cover social media use
The policy should cover users in roles that require them to post on behalf of the company, as well as those who do not require direct access. It’s important that users know exactly what is appropriate.