Every company needs to have rules governing Policies & Procedures (P&P) in place – and enforce them. Naturally, these crucial to massive corporations with huge Human Resources Departments, but too many Small & Mid-size Businesses (SMBs) skip this, feeling that, since they’re small, they don’t want to impose such formalities for fear that such P&P might disrupt the ‘boutique’ nature their office.

They could not be more wrong – especially when it comes to network and internet access. In California, there are mandates in place concerning Sexual Harassment Training for companies with five or more employees, but it does not enforce harassment policies in a business. The lack of enforcement can easily lead to sexual harassment litigation.

Any CEO who thinks that a lack of formalized IT P&P is harmless is leaving themselves open to law suits and governmental fines or penalties levied in accordance with the CCPA (California Consumer Privacy Act) regulations.

Noncompliance penalties for CCPA violations can be quite substantial, ranging from $100 to $750 PER INCIDENT – so if you have a data breach effecting 100 clients, you stand to be fined between $10,000 and $75,000, depending on the severity of the noncompliance, based on a range from an inadvertent error to a willful disregard for regulations. Add to that the civil litigation from clients whose confidential information became public due to company negligence.

Aside from having top-notch IT support and next-generation Cybersecurity, the Policies and Procedures a company should have in place also deal with employee productivity. The following are concerned solely with IT policies:

What should be included in an IT policy?

The basic six ‘must have’ policies:

1) Password Security Policy

According to CloudNine, 81% of hacking-related data breaches used stolen or weak passwords. Consider this: THE most used password in the world (by far) is ‘123456’. It takes ZERO seconds for a hacker to break that – it is the first thing they try. Read more about this, including useful tips in our own section ‘Creating Strong Passwords’.

The policy should include mandates for employee education, use of a Password Manager, Multi-Factor Authentication (MFA), and a set time frame when passwords must be changed.

2) Acceptable Use Policy (AUP)

The Acceptable Use Policy must be comprehensive, including how to properly use technology and data in the organization. It will also govern things like device security, such as requiring employees to keep devices updated. Where company devices are allowed to be used and forbid employees from sharing work devices with non-employees.

The AUP should dictate how to store and manage data properly. It is wise that this policy require encryption for security.

3) Cloud & App Use Policy

This primarily addresses the use of unauthorized cloud applications by employees, which is a growing problem. CloudCodes estimates that the use of this ‘Shadow IT’ ranges from 30% to 60% of a company’s cloud use.

Employees download and use unauthorized cloud apps to make their work easier, unaware of the security risk implicit in the use of unapproved apps. Often, employees don’t know that this is forbidden, so it must be written into the policy.

4) Bring Your Own Device (BYOD) Policy

The BYOD approach is the norm in business. Zippia estimates that approximately 75% of employees use their personal smart phones for work. This saves companies money, but it can cause Cybersecurity issues if a clear BYOD policy is not in place.

Certain Cybersecurity measures must be required if a personal device can access the office network, as well as the installation of an endpoint management app. The manner and amount to which employees are compensated for the business use of personal devices varies among employers, but this needs to be included – as well as mandates for keeping the device’s Operating System (OS) and apps pertinent to the business are updated when updates are available.

5) Wi-Fi Use Policy

Public W-Fi is always a danger, as hackers lurk there – where login credentials can easily be stolen. In a survey performed by Spiceworks, 61% of respondents said that employees connect to public Wi-Fi for business, whether the device is personal or company owned.

A good Wi-Fi use policy needs to dictate what employees must do to ensure they have safe connections. It is advisable that the use of a company VPN (Virtual Private Network) be installed. The policy may also restrict what activities employees can and can’t do when on public Wi-Fi. The smart money is to forbid entering passwords or payment card details into a form in such a an insecure environment.

6) Social Media Use Policy

First, you don’t want employees fooling around on social media all day, but when using it for business, like with LinkedIn, it must be addressed.

These details should be included in your social media policy:

  • Restricting when and how much time employees can spend on personal social media.
  • Restricting company information employees can post.
  • Identifying “safe/unsafe selfie zones” or facility areas that should not be posted anywhere.

Frequently Asked Questions

Q: Who sets the policy?

A: This is usually within the realm of executive management with cooperation and input from the company’s IT services.

Q: How are organizational policies enforced?

A: With IT issues, the IT department or outsourced service would monitor network/internet use and then report violations to management for assessment. Generally, it falls upon Human Resources (HR) to speak with the offender and impose any penalties for non-adherence.

Q: Is a VPN Good for Public WiFi?

A:  Absolutely. It encrypts your internet traffic and renders you anonymous when accessing the web on public Wi-Fi.

Q: Are BYOD stipends taxable?

A: Whatever compensation your company provides for using your personal device for work is a company business expense and does not need to be claimed as income.

How secure is your network?

As a reputable member of the IT Support Los Angeles community since 2002, IT Support LA offers a FREE, no-risk network and security assessment. It is a non-intrusive scan that allows us to deliver a comprehensive report that is yours to keep. No strings, and no obligation to ever use our Managed IT Services.

The best defense is the best Cybersecurity to protect your data from theft, and a top-notch Managed IT Services firm to ensure continued reliability and defenses against newly emerging threats.

With our 100% Money Back Guarantee in writing, we offer a risk-free way for prospective clients to try us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.

Among the Managed IT services we provide:

IT HelpDesk Service
Onsite IT Support
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)

For more information, or to receive your FREE no-risk network and security assessment, just fill out the form on this page or call us at: