6 Must Have IT Security Policies to Safeguard Your Business

safeguard SMB
  • July 27, 2017
  • Print This Post

What better way to introduce the second installment in our IT Policy Primer series, IT Security Policies and Framework, than drawing from that wellspring of corporate wisdom, Dilbert.

In an episode of the long-running satirical strip, Dilbert’s pointy-haired Boss ambles officiously into the bespectacled worker’s cube to announce the creation of a new company policy, assuring him that “there are excellent reasons” for the move, adding that “I hope to someday know what they are.” Cue Dilbert’s famous deadpan.

Employees of many small companies may wonder whether that’s how their IT security policies (if they even have any) are generated.

It isn’t, of course. Because SMBs that use IT policies have likely thought them through very carefully–many times with the help of an IT Managed Services Provider (IT MSP).

In these proactive companies, you can be sure that the reasons IT security policies exist–supporting risk management, governance, regulatory compliance or other essential strategies–are crystal clear to every business leader. Pointy-haired or otherwise.

No IT Policy Framework

The real problem today is that, despite headlines decrying the devastation wrought by Locky, WannaCry and now Petya, many US SMBs still lack a reliable framework of IT policies to guide user behavior and safeguard operations. A startling 83% percent still have no formal cybersecurity plan. Only a third are using business data security policies, and just two in five have a written policy concerning remote networking, email and Internet safety procedures.

All of this is problematic because, as our eye-opening new cybersecurity series reminds, SMBs aren’t taking security seriously enough at a time when they should be more serious about security than ever.

Businesses that are ready to do so, should consider reviewing and refreshing their existing IT policy framework, which we believe should, at minimum, include must-have policies such as:

  • Security Awareness Policy: greater awareness decreases threat exposure, at least in theory; so this IT policy should include training, newsletters and other communications that keep awareness high, especially about fast-emerging threats, such as the latest, most destructive malware variant ever, “Wiper Ware.”
  • IT Acceptable Use Policy (AUP): this essential document defines all company IT resources users may encounter on the job and lists the proper use of each; most organizations require employees to sign an AUP prior to receiving network/login credentials.
  • User Password Policy: weak passwords that can be easily guessed or hacked drive the need a strong user password policy; at a minimum, include requirements for: acceptable length, complexity (letters, numbers, symbols) and expiration dates.
  • Mobility Use Policy: this IT policy defines proper use of mobile devices within the organization, including which devices are governed and how the policy is enforced; these guidelines often describe methods for securing data, both at rest and in transit, and proper steps for reporting a lost or stolen device.
  • Personal email Use Policy: this policy is aimed at reducing risks of allowing employees to personal email services that exist outside of IT department purview for company business; these can include: loss of control; risk of non-compliance; privacy violations; and potential for data theft.
  • Clean Desk Policy (CDP): a popular and effective workplace security strategy that helps prevent data theft and loss by requiring employees to lock away sensitive materials that are not in use or when employees leave their workstations.

Other IT policies that deserve a spot on this must-have list include: disaster recovery; business continuity; incident response, remote access and media retention and destruction. Consult an IT MSP to determine which combination would best constitute your basic IT policy framework and go from there. Meanwhile, check back again soon to read the next post in our IT Policy Primer series: Tips for Policy Awareness Building and Enforcement.

Need Help With
Your IT?

Find a Location


Need Help with your IT?

Find a Location
Near You.


into the evolving world of IT for business.
Subscribe now.

Follow Us
Friend me on FacebookFollow me on TwitterFollow my company on LinkedInRSS Feed

Follow us on Twitter


ITinflections is a blog that covers a wide range of technology-based articles IT in the workplace, focusing on small- to medium-sized businesses.

If you’re looking to improve your company’s productivity through the effective use of technology, enjoy ITinflections, the blog about technology for business.