Security Policies Every Small Business Should Have

By Jon Schram

You don’t have to have a big-business IT budget, or the staff to match, to bolster your company’s security profile.

If you work in or own a small business, do you have security? Security is no longer limited to the locks on the doors and lighting in the parking lot. On-line security is what makes the headlines today. You know you’re supposed to have good
anti-virus software on every device and a firewall on your Internet connection, but what causes most security breaches?

Employee error is the No. 1 cause of a security breach in a business, so it is vital to keep everyone informed and have policies that will keep you and your company safe. Here are four policies that every business should have and share with their employees.

It’s 2 a.m., do you know who has your data? Do you know who is using Dropbox in your company? Make sure to explain that business data is business property. That means employees aren’t allowed to remove or copy it without your authorization.

In addition, whether or not you allow your employees to conduct work on their own devices, such as a smart phone or tablet, it is important to have a formal bring-your-own-device (BYOD) policy. If your employees aren’t aware of your stance on BYOD, they will assume they can conduct work-related tasks on their personal laptop or tablet. That means your data is no longer under your control. So have a BYOD policy and put it in the employee handbook.

In today’s business world, employees spend a lot of time on the Internet. To ensure they’re not putting your business at risk, you need a clear set of Web policies. Here are three important ones to keep in mind:
• Employees should be using the Internet for business
purposes only. While this is undoubtedly hard to avoid without blocking specific Web sites, having a policy in place should at least cut back on employees’ spending time on non-business
related sites.
• Prohibit unauthorized downloads. This includes everything from music to games, and even data or applications.
• Accessing personal e-mail should not be done on business devices. If employees must access their own e-mail account during the day, they can do so on their smartphone or other personal device.

These are just a few Internet policies to get started, but you should also consider including information on your recommended browsing practices and your policies for using business devices (such as company phones or laptops)
on public wifi.

2016.03-Tech Adviser-QuoteRGB

As with the Internet policy, company e-mail accounts should only be used for business purposes. That means your employees should never use it to send personal files, forward links or perform any type of activities outside of their specific job role.

Additionally, consider implementing a standard e-mail signature for all employees. This not only creates brand cohesion on all outgoing emails, but also makes it easy to identify messages from other employees and thus helps prevent spear-phishing. Not sure what phishing is? Check it out at

We’ve all heard the importance of a strong password time and time again. And this same principle should also apply to your employees. The reason is rather simple: Many employees will create passwords for their business accounts that are easiest to crack. After all, if your organization gets hacked, it’s not their money or business at stake.

To encourage employees to create stronger passwords, your policy should instruct them to include special characters, uppercase and lowercase letters, and numbers in their passwords. Most computer systems can automatically enforce this kind of policy, making it mandatory.

We hope these four policies have shed some light on four security practices you may need to address in your business.

About the author

Jon Schram is president of The Purple Guys, a Kansas City IT company.