Secure your Environment by Empowering your Employees: Implement an Acceptable Use Policy
The swelling trend of working from home coupled with the growing impact and frequency of cyber-attacks and data breaches has left organizations of all sizes searching for ways to improve their IT resilience and recovery capabilities from cyber threats. One of the leading causes of cyberattacks is employee negligence. A single negligent employee can be the weak link in any organization’s IT infrastructure, information systems, and network resources. This can lead to many types of security issues such as data and network access breaches, malware, and phishing attacks. One simple step to improve an organization’s security posture is for management to create and adopt an Acceptable Use Policy.
An Acceptable Use Policy (AUP) is a set of rules established by an organization’s management and IT teams that dictate the ways employees interact with the company’s data and network, all for creating a more secure IT environment. An AUP defines the way your company’s resources may or may not be used by your employees.
Acceptable Use Policies are a foundational tool for an organization and its employees to continue business operations responsibly and safely. Here are some examples of how IT Security leaders define the best practices for their IT infrastructure.
What does an Acceptable Use Policy look like?
Employees of all roles and backgrounds are encouraged to use and consult the document, and therefore it needs to be approachable. Cybersecurity experts prescribe an Acceptable Use Policy that is short, easy to read, and organized into sections.
What does the Acceptable Use Policy apply to?
Simply stated, the document should apply to all interactions an employee has with the organization’s network. Here’s an excerpt from the Acceptable Use Policy at Brown University:
“Computing resources (covered by the Acceptable Use Policy) include all company and employee-owned, licensed, or managed hardware and software, the use of the company network via a physical or wireless connection, and all applicable company-owned data stored or accessible on employee’s personal hardware.”
What security standards are set for corporate and employee-owned hardware?
The security standards are up to the discretion of the organization. We’ve seen security policies vary in strictness, but it’s important to use verbiage consisting of absolutes to convey the importance and encourage standardization. Here’s an example from the SANS Institute, a global leader in cybersecurity training:
“You may access, use or share proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties. All computing devices must be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less. You must lock the screen or log off when the device is unattended.”
What vulnerabilities do remote workers create that an Acceptable Use Policy can mitigate?
- Exponential Endpoints: Despite many organizations issuing company hardware to their employees, there are plenty of reasons that an employee would choose to use their personal device instead of the company-issued equipment (i.e., device power, extra monitors). This preferential choice creates a nearly unquantifiable number of endpoints that could be used to access company data or networks without the same security standards as the organization’s machines. The average home in the U.S. has two personal computers and two cell phones. These endpoints are not secure by default, and the addition of these devices into operations must be viewed as a data security risk. An acceptable use policy could have provisions ensuring no personal devices are used, or certain standards required to use a personal device. A simple example is: a VPN is required to access the organization’s network.
- Network Vulnerability: Even if employees’ personal devices are secured to company standards, there is more to worry about than two phones and two computers. The average U.S. home has ten devices connected to its home network. The interconnectivity of the Internet of Things (IoT) coupled with work-from-home has led to the adverse side effect of a device as simple as a printer being a threat to an organization’s entire network. If a hacker was able to pull company data logs from an employee’s home printer, it could lead to the exposure of all locally stored data and data shared on the company network.
- Culture Desynchronization: A possible side effect of work-from-home are the negative impacts of employees’ lack of opportunity to develop relationships among themselves. Without the water cooler, employees may use their downtime to browse the web or otherwise entertain themselves at home. Unfortunately, this can present a host of security concerns. Some comprehensive acceptable use policies also include an Internet Usage Policy, which firmly outlines what websites are acceptable to peruse on company equipment, or company networks. An expressly clear internet usage policy helps dispel ambiguity and creates a culture of security – uniting employees under the same standards.
Business Continuity Considerations
An Acceptable Use Policy is an effective preliminary tool in designing a comprehensive business continuity plan. It’s recommended – especially with today’s data landscape – that when BC Planning, you put your people first. Today’s employees face many COVID-related challenges, from establishing a stable home office to concerns about family’s health and safety. Organizational policies and plans shouldn’t complicate the lives of already disrupted employees. Instead, when possible, make your acceptable use policy as easy for your employee to adopt as you can. Here are some examples of tools that can be embraced without shifting significant responsibility on your team.
- A secure, encrypted, file-sync and share tool with the ability to create shares at an individual, team, and organizational level streamlines operations and makes collaborating easier out of the office.
- Point in time, offsite backups for Microsoft 365 are essential for organizations that rely heavily on the Microsoft software suite for operations and communication.
- Cybersecurity training is of course core to building a more aware organization, and the less it feels like homework the more receptive your employees will be. Look for cybersecurity training that includes short videos and quick comprehension tests, but also includes tools that an employee can look upon when trying to decipher the legitimate from the phishing scam.
- Design a phased policy publishing schedule that will allow users to adapt slowly over time- this applies when policies result in significant changes to business activities.
Keeping the policy current is important as technology changes and shifts in threats evolve, so too must your company’s AUP. At a minimum, these policies should be reviewed at least once a year or when something changes like Covid-19 that forces workarounds and adjustments.
Business Continuity Plans (and even smaller projects, like Acceptable Use Policies) can seem incredibly daunting for an IT department to dive into. Don’t tackle it alone. RenovoData specializes in helping organizations protect their data, create plans, and recover in case a disaster strikes.