Your Computer Use & IT Security Policy: what to include
‘Why do I need a Computer Use & IT Security Policy?’ we hear you cry. Well, put simply, said policy will help protect your business from all kinds of nasty threats and risks. Like cybercrime, data loss (accidental or, we hate to say it, deliberate!), fraud and falling foul of the new Data Protection regs, AKA GDPR.
Convinced you need one now? Good, then let’s go! In this article, we’ll take a look at what your Computer Use & IT Security Policy might include. Of course, its exact contents will depend on the size and nature of your business, and the different jobs your team members do. But there are a few bits and pieces that should be included in any policy – and that’s what we’ll look at here.
Who can access what?
It’s all too easy to give everyone in your team carte blanche to access every programme on your network. But this really isn’t a good idea. Think about it – does the receptionist need access to your financial data on Sage or Xero? Do your sales team really need to know the ins and outs of your personal files? The simple answer is ‘No.’ So just give each individual person, or department, access to the files and applications they need to do their jobs.
Equally, it pays to think about who has access to the internet and company email accounts. Of course, this will be essential for many roles. However, say you’re a warehousing company and employ a number of people who spend all day picking and packing. The chances are, they won’t need to go online to achieve this.
The fewer staff members that have access to the internet, the lower your chances of being hit by cybercrime or data theft. So, hedge your bets and only let people go online at work if they need to. You’ll also save money, as you won’t be forking out for accounts and licences you don’t need.
Internet use at work
So, you’ve decided who can and can’t use the internet at work. Your next step is to define how they can use it. After all, it only takes one click on the wrong web link to unleash a deadly virus or ransomware attack which could leave your business tied up in knots.
Installing business-grade IT security measures will, of course, help protect your systems. But it’s also important to set down in writing what you expect from your team when they browse the web at work using company-owned devices.
Here are some ideas for content you might like to include in this section of your Computer Use & IT Security Policy:
- Always use your company email accounts when sending messages for work purposes. Never use your personal email.
- Only use the web browsers that we recommend, e.g. Chrome or Firefox, and don’t install unauthorised browsers on your PC.
- Don’t access your personal email or social media accounts on company devices.
- Access to unethical, illegal or offensive websites, including gambling sites, is strictly forbidden.
- Don’t install or download any cloud-based programmes or applications without permission from an authorised member of staff.
As well as telling people what they can and can’t do, there are other measures you can take to protect yourself, which you can also mention in your policy. These include:
- Setting up a two-stage download process, to help protect your network from infected email and internet files.
- Installing pop-up blockers to help prevent access to malicious web pages.
- Restricting access to cloud-based applications, so only people on a ‘need to know’ basis can use them.
- Reserving the right to monitor your employees’ email and internet use. (There are legal implications to this one and it’ll need to be reflected in your staff contracts as well as your Computer Use & IT Security Policy – ask your HR guru if you’re not sure).
Using personal devices at work
Do you let your staff hook up to your wi-fi on their personal smartphones and tablets? If so, you could be taking a big risk. As well as IT security implications, you’re also shooting yourself in the foot in terms of productivity. So, set some rules around personal device use at work. We’re not saying you need to be draconian about this, but there’s nothing wrong with restricting the use of personal devices to break times.
Equally, you’re well within your rights to stipulate the kind of internet content your staff can access at work. For example, bank accounts and personal email might be OK, whilst personal Facebook and Twitter accounts are off-limits during the working day. Of course, you can ban access to personal devices completely if productivity loss or security are serious concerns, but this isn’t usually necessary.
Social media for work purposes
Twitter, Facebook, LinkedIn et al can form a vital part of your wider marketing mix. They’re a great way to broadcast news to the wider world and respond quickly to questions and comments. On the other hand, social media can be something of a double-edged sword – and a death threat to your reputation when put in the wrong hands!
This is why the correct management of your company social media accounts should always feature in your Computer Use & IT Security Policy. Appointing staff you trust to do a good job is just the start. You need to set out what they can and can’t say, and how they should and shouldn’t behave online. This will avoid the wrong messages being sent into the ether, potentially damaging your business and putting you in the doo-doo.
The exact rules you set will naturally depend on the nature of your business. But a few basics for your policy might include:
- No commenting on competitor businesses, products or services.
- Not mentioning sensitive company or financial information, or personal details of staff members, suppliers or clients.
- Never giving your name or revealing any other personal data when posting (you can always invent a ‘persona’ for your staff to use online – a bit like Siri!)
- Not responding to obvious ‘trolling’ attempts.
From stationery to staff uniforms, food to floral displays, we’re willing to bet you buy stuff for your business online. This can be a risky business if you don’t set out some ground rules! There are lots of websites out there who are all too happy to take your money and send you nothing in return…and then empty your bank account or max out your credit card to boot.
To avoid these pitfalls, restrict online purchasing to sites and suppliers you trust. Keep your company credit card and account details safe and only let trusted team members use them who genuinely need them to do their jobs. And don’t let people set up new accounts willy nilly – put a Supplier Approval process in place and make sure a Works Order is raised for larger purchases. Having an audit trail will really help you keep track of your finances.
Finally, make use of the new Chrome security feature if you don’t already. When you access a website using Chrome, it will display the words ‘Not secure’ next to the web address when you open the site, if it doesn’t have an SSL certificate. This means your data might not be encrypted if you enter bank or credit card details – so don’t take the risk. Click away and buy elsewhere.
Keeping tabs on email
Did you know that constantly checking, reading and responding to emails can seriously affect staff productivity? What’s more, cluttered email accounts full of unwanted or unnecessary messages can slow your systems down and cost you more than you need to pay for storage. So, it’s a good idea to encourage your team to follow a few best practice rules when it comes to email management.
For example, you could state in your Computer Use & IT Security Policy that emails are to be checked and dealt with no more than four times a day – say, every two hours. And emails that aren’t needed are to be deleted immediately, with a more thorough ‘cleansing’ carried out on a monthly basis.
You could be surprised by the effect this has on staff morale as well as productivity. It’s a proven fact that juggling reading and responding to emails with other tasks can be extremely stressful. Just being told that it’s OK to close down Outlook (or whatever) for an hour or two can be a huge weight off the mind – why not try it yourself?
Not sure where to start with your Computer Use Policy?
Don’t worry – the friendly team at RoundWorks IT is here to help! We can assess your individual company requirements and put a policy together that meets your needs and protects you in all the right places. We can even train and mentor your staff to make sure they fully understand the policy and why it’s important to toe the line.
So let’s get started – give RoundWorks a call on 0333 344 4645, email firstname.lastname@example.org or chat with us online today. We’re ready and waiting to hear from you!