Security Policies for SMB

Creating IT Security Policies for Your Small Business


In today’s “always-on” world where everyone accesses the internet via multiple devices, some personal and some owned by your business, it is important to establish IT Security Policies. IT Security Policies set expectations for how your employees are expected to use and interact with your computers, information systems, and network. Without clear expectations, inappropriate or uninformed employee usage can result in lost productivity, data loss, exposure to viruses and cyber-attacks, and even increase the risk of lawsuits.

Setting policies that work with your business begins with identifying what assets and information you want to protect. This may include computers, mobile devices, HR and payroll systems, customer data including payment and personal information, and proprietary business information. Once you’ve identified the assets and information that need protecting, identify who should have access to that information and establish guidelines for usage.

Here are some common IT Security Policies that small and medium businesses implement:

  • Physical Security
  • Password Policy
  • Internet Use Policy
  • Email Use Policy
  • Corporate Devices Policy
  • Personal Devices Policy
  • Data Security and Transfer Guidelines
  • Training Requirements

Physical Security

Establish policies that guide employees to secure laptops and devices, when they are in and out of office. A company laptop sitting on the passenger seat of a car is attractive to a thief and they could cause significant damage to your business if that laptop and account have access to confidential information. In the office, employees should be in the habit of screen locking their computers whenever they leave their desk – a customer or service employee in the building should not be able to walk up to an unattended computer and access your databases and information.

Password Policy

Set clear policies on password strength, expiration, and sharing. Password strength refers to the complexity of passwords and most websites today will enforce choosing passwords with a combination of uppercase, lowercase, numeric and special characters. Once you have identified the requirements for password complexity that work across your IT systems, share these guidelines with your employees so that they are prepared.

Passwords should be changed periodically to reduce the risk of old passwords being shared or cracked. An example company policy may require employees to update their account password every three months.

Finally, employees should be instructed to never share passwords or accounts with other employees, family members, or even the IT department! Every employee is required to have their own account and their own password.

Internet Use Policy

This policy helps employees know what behavior is permitted or prohibited on company owned computers, devices, and networks. These guidelines address personal use, social media, and unapproved software.

When it comes to personal use of company computers and network, there is no one-size-fits-all policy. An employee accessing their bank account to complete a transaction during their lunch break may increase productivity because they did not have to leave the office to drive across town. At the same time, excessive web surfing during work hours can reduce employee productivity, which affects your bottom line. Social media including Facebook, Twitter, Instagram and others may be permissible or prohibited. Some roles may even require access – your marketing team which posts to your social media accounts need access to these services.

Installing unapproved software can result in accidentally installing malware or unlicensed copies of software. Policies should identify which software can be installed and how to request exceptions to install nonstandard programs that the employee uses to do their job.

Email Use Policy

This policy helps employees know what behavior is permitted or prohibited when using their company provided email account and system. Using their company email to conduct unrelated commercial activity and other misuse of their business email address can increase legal and security risks for your business.

Corporate Devices Policy

These policies govern the use and monitoring of corporate owned computers and devices. Guidance on what may be installed on these systems, how employees may use them, and whether they have an expectation to privacy on these devices should be communicated up front. This policy informs employees on what they should do in the event of a lost or stolen company device.

A managed services provider can help you implement Mobile Device Management to help manage the risk of critical information on lost or stolen devices.

Personal Devices Policy

Employees using personal smartphones and computers to access their work email, documents, and customer data will be more vigilant in protecting your business’s confidential information if they understand how and when using their personal devices is appropriate. Use this policy to identify the types of devices permitted, what security measures and prerequisites are required for employee devices to be approved, and what employees should do if their devices are lost, stolen, or compromised.

If your company does have a Mobile Device Management solution and enrolls personal devices in this program, inform your employees in your written policy when their device might be accessed, and under what circumstances data might be deleted on that device.

Data Security and Transfer

Set policies that define if business data can be transferred via external networks or only on the company’s network. Determine if your business will allow removable media including USB keys to transfer data between employees or external parties. USB keys can store large amounts of data but can be easily misplaced. Shared drives including DropBox, Google Drive, and Apple iCloudDrive can facilitate sharing data and improve productivity if your policies define permissible use.

Training Policy

Defining and writing policies is the first step, but they will not guide behavior unless your employees are informed of new policies, updates, and trained to follow them. Policies must have clearly defined consequences for violations, from verbal and written disciplinary action up to and including dismissal for malicious or repeat offenders. Include training for new employees and annual training for existing employees as part of your adoption plan.

Ready to Get Started?

If you are ready to get started creating the right policies for your business, Ariel IT will work with your leadership team to understand your business and recommend best practices to protect your data and computer systems.