Photo: iStock
By David Stidham, Operations Manager at Cenetric
We’ve all done it — printed off a form for our kids’ school, saved a personal document to the company server, or used a company-paid app to make a video for our son’s graduation.
These little tasks here and there don’t seem like a big deal most of the time, but they do use company resources (and probably bits of company time), so it’s wise to establish an IT Acceptable Use Policy to outline what is and isn’t allowed when it comes to company tech.
Why you need an Acceptable Use Policy
While none of us really wants to be a stickler, letting use of your devices, systems and network slide too much can have big consequences. It’s better for everyone if you have clear rules in place so everyone knows where the line is.
Safeguard your company’s IT infrastructure
Employees doing both work and non-work tasks can put your systems at risk. For instance, an employee clicking a malicious link on a phishing email in a personal account can quickly spread to your entire network. Even work email systems are vulnerable to social engineering.
You’ll also want to be on the lookout for “shadow IT” activities, like storing data outside company systems or feeding proprietary information to generative AI tools.
IBM’s 2024 Cost of Data Breach study showed that 35% of data breaches involved shadow data (data that’s stored in unknown or unmanaged places). The study also found that shadow data increased the cost of a data breach by 16% and that 40% of breaches were caused when data was stored across more than one environment.
Creating clear policies for data governance and AI use are musts within your overall acceptable use policy to protect your business from cyberattack.
Maintain compliance with regulations
No matter how small your business is, you may be subject to federal or state privacy regulations and standards such as the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), or the California Consumer Privacy Act (CCPA). It all depends on the nature of your business, but regulations and standards like these require strict data governance and security measures, and allowing lax use of company resources could put compliance in danger.
For instance, HIPAA and PCI-DSS both have password requirements or guidance that means one of your employees using “password123” for the last 13 years is not going to work.
Photo: iStock
Protect your business’s reputation
No business wants to have to send out notices about a data breach, but even seemingly smaller issues like an employee misusing the company social media account can create an embarrassing incident.
A poor reputation for any reason can turn away customers or even potential employees, so employing an IT Acceptable Use Policy to keep damaging events at bay is a must.
What should you put in your policy?
Your specific business will probably want to make a few tweaks to this list or include some unique rules to cover your circumstances. But you can start your Acceptable Use Policy with rules about:
- Who can use your technology, when and how
- How data can be used, stored and shared
- How employees can use company computers, phones, networks and other systems
- How your team is allowed to use the internet on company time and with company devices
- How to use (and not use) AI
- How your team can use their own devices on company networks
Let Cenetric give you a hand creating tech policies
There are many more considerations than we can get into in a blog post, but if you’re concerned about misuse of company tech, Cenetric can help you create a solid IT Acceptable Use Policy. Note that you should also have it reviewed by an attorney, especially if there are legal or regulatory issues involved.
If an IT project (like creating an IT-related policy) has you overwhelmed, tell us about it. Cenetric has the reliable experts you need to help.