IT policies – A cure for insomnia?
Let’s face it – IT policies are not the most exciting topic. Because of that reality, there are two common (but similarly futile) approaches to IT policies:
- Approach 1 – don’t bother.
- Approach 2 - Find a generic IT policy on the internet. Put a copy in the staff handbook. Hope the staff will read it.
Does this sound familiar? Don’t worry – you are far from alone if so. However, it’s still worth taking a moment to think about trying to be better than average. The good news is that it isn’t difficult or costly to make a big step forward. And it’s worth doing to help protect your business, your customers and your staff from the threat of cyber crime.
The third way
As one of its ’10 steps to Cyber Security’ guidance: here, the government advises the following:
Principle: User Education and Awareness
- Produce user security policies covering acceptable and secure use of the organisation’s systems.
- Establish a staff training programme.
- Maintain user awareness of the cyber risks.
Let’s refer to this as ‘Approach 3’. Compared to Approaches 1 and 2, it is relatively rare to find organisations taking this advice on board. It is a shame because it requires relatively little effort and the benefits are realised quickly.
Where to start?
The starting point is to identify some key IT related topics that are important to your organisation and then write policies which are relevant to your company. There are many useful sources you can draw from to help you do this. These might include trade organisations, professional advisers, and – yes - the internet. But, the most important thing is that what you produce is realistic and reflects what happens in your organisation. Beware of ‘one size fits all’ policies or policies written in language that only the IT department will understand.
There is no definitive list, but a reasonable benchmark for most SMEs could be:
- Internet Acceptable Use policy (AUP)
- E-mail policy
- Social Media policy
- Bring Your Own Device policy (BYOD)
- Removable Media policy (covering things such as USB data sticks)
Hope is not a strategy
Having gone to the trouble of writing the policies, you must now resist the temptation to assume that staff will read them, let alone understand them. Hope is not a strategy. Rather than putting the policies in the proverbial bottom drawer, talk to your staff about them and explain the key points in plain English. The purpose of the policies is to change behaviour for the better, not an academic exercise.
Talking about policies can form part of a general staff training programme on cyber risks. Policies are part of the equation, but there are many other topics you can also include to raise awareness. And it doesn’t have to be a cure for insomnia. Done well, training can be engaging. Most staff will use computers and the internet outside of work and they will face similar cyber threats in their personal lives. Make it seem relevant and useful to them as both an individual and an employee, not threatening and simply about Big Brother watching them.