The Top 5 Tech Policies SMBs Overlook
Organizations—small- and medium-sized businesses (SMBs) in particular—typically want to get to work. Taking time to draft, implement and enforce information technology (IT)-related policies confirming proper computer-related behaviors isn’t always a priority. But, as seasoned business owners often come to understand, several IT policies are necessary to keep SMB operations running smoothly. While SMBs often implement a basic Internet usage policy stating the organization’s computers and network can’t be used for illegal activities and should only be employed for work purposes, several other technology policies are often overlooked. Unfortunately, these overlooked IT policies can prove essential to maintaining proper operations.
As even the US Chamber of Commerce notes, the number of businesses dependent upon technology to engage customers, market products and services and receive payments has skyrocketed. Proper guidance is required to help ensure all employees and users understand how to best manage their subsequent technology use. Yet, corresponding policies aren’t always present to help users understand what equipment can safely be connected to the company network, how data and information must be properly safeguarded and how daily workflows and requests for support should proceed. In other cases, different state and country laws might apply that, in fact, require a specific technology policy not only be in place but also prove publicly available.
Subsequently, several important policies—which provide a framework and guidance for proper operations—are often overlooked. Here are the top 5 IT policies all SMBs should ensure they haven’t neglected implementing.
1. Acceptable use policy
Among the very first technology policies all organizations—from small offices to nonprofits to larger businesses—should implement is an acceptable use policy describing the proper behaviors working with organization-provided data, networks, software and systems. As with all policies, the document should define which individuals—users, employees, volunteers, executives, managers, board members, etc.—are subject to the policy, describe how the policy is monitored and enforced, present recommendations for addressing any questions and describe potential penalties for noncompliance. Sometimes known as an AUP for short, effective acceptable use policies typically describe specific actions and behaviors that are permitted, as well as those that are prohibited, using the organization’s wired and wireless network connections, messaging platforms and email system. An AUP can also describe the rules for using the business’ website, social media accounts, applications and other technical resources, but such policies can also apply to general network services and Internet access. Organizations, subsequently, should consider including guidelines for use of the following technologies within their acceptable use policies:
- Wireless networks
- Wired networks
- Computer equipment
- Telephones
- Smartphones
- Internet connectivity
- Social media
- Cameras and webcams
- Applications
- Cloud services
Similar to a contract or a legal agreement, IT policies (and especially AUP documents) should strive to address gray areas. Consider including a section stating that, while effort has been taken to address specific topics within the policy, new technologies and equipment are routinely introduced into service. The section can further clarify that, just because a specific technology or system isn’t listed within the policy, the same rules and practices the policy presents and advocates should also be followed for any technologies not specifically listed within the policy.
2. Cybersecurity policy
One of the single most important technology policies for any organization is a document specifying proper cybersecurity expectations and practices. With state-sponsored malicious actors more enabled and active than ever before, a comprehensive cybersecurity policy is an essential component of any organization’s cybersecurity strategy. Only by educating users, ensuring they understand and recognize continually evolving and increasingly sophisticated attacks and maintaining awareness levels can organizations begin to properly secure their networks and data and protect against insidious ransomware attacks and other cyber-related exploits. To prove effective, cybersecurity policies should include guidance regarding all the following elements:
- Safe Internet and email usage guidelines
- Password complexity requirements
- Proper safeguards for protecting passwords
- Multifactor authentication requirements
- Phishing, spear-phishing, smishing and vishing tips
- Virus and spyware instruction
- Data encryption requirements
- Bring your own device (BYOD) parameters
- Social engineering tips
- Incident response steps
Fortunately, organizations aren’t on their own. Numerous authorities have developed guidance to help, including the FCC and CISA.
3. IT standardization policy
With organizations increasingly enabling work-from-home arrangements, it’s important both IT staff and users understand the specific software and equipment—company-issued computers, external hard drives, applications, cloud services, network gear, smartphones, etc.—and network connectivity options—including VPNs and multifactor authentication (MFA) options—considered authorized and acceptable. A trend that grew even stronger during the pandemic, bring-your-own-device (BYOD) questions should be addressed, too, within an IT standardization policy. Among the primary elements businesses should include within IT standardization policies are the following:
- What equipment should be connected to corporate networks
- Which applications are approved for use
- Approved MFA tools and software
- BYOD guidance
- Smartphone guidance
An IT standardization policy helps ensure users don’t accidentally or intentionally introduce unauthorized, unsupported or threat-surface-expanding technologies that place the company, its systems and data at risk. By describing and dictating the equipment, systems and connectivity methods supported and permitted by the company, such policies help organization users understand what devices can be used and how, even when working remotely or while traveling. And, when questions arise, such policies should provide guidance for users as to how to constructively route questions and receive assistance when circumstances require.
4. IT support policy
Many users, whether working directly within a corporate office or remotely from home, are unsure just what occasions warrant requesting service or from whom. Confusion can arise as to when it’s considered appropriate to report technical issues, create a service request or inquire about a security concern, and additional questions may arise as to the proper process to follow to request service or support. A properly drafted IT support policy addresses all those questions. Among the elements to consider within such a policy are the following:
- How to request service
- When to request assistance
- Where to direct help desk questions
- How to proceed when experiencing a suspected virus or spyware infection
- How to address potential security breaches
- How service response priorities are determined
Effective IT support policies should describe the kinds of technology services provided, while also setting expectations as to how service triage decisions are made (including after hours and on weekends and holidays). By ensuring users understand how and when to reach out for support, organizations can better ensure users make the most of available resources, while also improving the organization’s overall response to potential cybersecurity threats.
5. Privacy policy
Several regulations and requirements—including the California Privacy Rights Act, the Colorado Privacy Act, Virginia’s Consumer Data Protection Act and the European Union’s General Data Protection Regulation (GPDR) legislation—warrant every organization implement a privacy policy defining how the firm collects, manages and processes data. In general, privacy policies should define how an organization secures the data it collects and maintains, while also describing whether such data is shared or sold to third party companies. Increasingly, privacy policies also instruct visitors, users and customers how to access, modify, export or even delete their personal data an organization maintains. When constructing a privacy policy, firms should consider including the following elements, some of which are required by law in varying jurisdictions:
- A statement defining the website, application or system owner
- An explanation of which party actually processes collected data and information
- A description of what information is collected
- A description of the legal basis that permits collecting the data
- A statement describing the purpose for the data collection
- A description of how information is used, shared or sold
- A statement defining how long data is retained
- A statement noting whether data is transferred internationally
- A statement noting whether collected data is used as part of automated decision-making processes
- An explanation of the process used to notify users, visitors and customers of any changes made to the organization’s privacy policy
- Instructions informing users, visitors and customers how to access, review, modify or delete any of their data maintained by the company
- A statement of the data subject’s rights
In addition to those elements, privacy laws in place in various states and countries often require additional specific information, such as statements defining how any information collected for children under the age of 13 is collected and used. Unlike some other IT policies, which can safely be drafted in-house, to ensure compliance with various industry regulations, state laws and national legislation, organizations should work with legal counsel whenever drafting or revising privacy policies.
Continual process
Once SMBs draft and implement IT policies, the work is not done, however. To prove effective, technology practices must be monitored and policy stipulations must be enforced. As markets change, industries adjust and technologies evolve, SMBs must continually update technology policies to maintain pace. And, every time policies require updating, SMBs must then effectively communicate those changes to users, while also ensuring managers implement the corresponding changes and correct for noncompliance.
Getting started
Don’t fret if your office is missing a policy or two. While it’s best to promptly address any gaps in coverage, you need not start from scratch. Numerous ready-made policy templates are available, including from Info-Tech Research Group, SANS Institute and TechRepublic.
Such standard documents are a great way to get started, even if most firms require custom changes to match specific workflows, industry nuances or other needs. Should you have questions or need help drafting and implementing IT policies, contact a Louisville Geek specialist at 502-897-7577 or email [email protected].