SME survival guide: What should your IT policy include?
All businesses have policies on matters from maternity leave to grievance procedures, which are shown to new staff members on arrival. Once a recruit has been briefed on the really important things – such as where the teabags are kept and how it’s decided what station the office radio is tuned to – there will also be a bundle of paperwork to read and sign.
When it comes to IT, social media policies are probably the most prevalent – these advise employees on proper usage and whether or not it’s okay to post in working hours. But someone potentially being rude about you online, or scrolling through Twitter on your time, is only a small part of the risk when it comes to staff and tech.
Exposure to cyber threats
Improper or irresponsible use of IT can expose your business to cyber threats, such as viruses or phishing emails, or lead to the sharing of sensitive information – not to mention the breaking of new GDPR laws.
An IT policy – or policies – can therefore help to guard against such serious problems. By clearly describing how technology should be used in your business, the policy will ensure everyone is clear on what they can and cannot do when using your computers, networks, websites or systems.
As with all policies, short and sweet beats long and detailed, and there are plenty of sample templates around online to get you started.
Setting out what’s fair
Start off generally about what constitutes fair use of email, internet and any company devices. Be clear on what the rules are concerning BYOD. Establish a sensible code of conduct.
How should a staff member log onto the network? What websites can they visit?
Leave no room for confusion on the unacceptable uses of business systems. This tends to include actions such as looking at offensive or indecent material, breaching someone else’s privacy or saying something libellous or defamatory on company emails or social media.
In your business culture, what’s the right way to talk to a client or supplier in an email? Take this opportunity to address the etiquette you would expect from anyone representing your company.
What are the consequences?
The policy should say what will happen if this code of conduct is broken. If you would consider monitoring staff email and internet use, make sure they know it. Use this document to detail how surveillance may be carried out and under what circumstances.
Be clear that serious breaches may mean disciplinary action or even dismissal – which of course are whole other areas of company policy.
Bring it to life
Savvy companies make sure their IT policy documents live and breathe. They take care to review and update them in accordance with any changes – such as in the law or technology used – and draw them to the attention of team members regularly, not just in their first week.
For an IT policy to be efficient, everyone should be aware of it and, as discussed, clear rules should be set on matters such as browsing, downloading, software installations and data-security.
It may sound harsh, but the biggest vulnerability in any business is its people, especially when they are not properly trained and fail to be vigilant – for example, with phishing emails. Absentmindedly clicking an attachment can infect a whole network.
But of course, staff can’t be blamed for what they don’t know – and companies who act to train and educate their employees have the best chance of safeguarding everyone and everything involved.
If you need help with policies or any other IT matter, why not get in touch with Q2Q to see how we could help support your company?