By creating a security policy for your business you can protect your business from most of the common forms of internet threat.
The internet can be a great force for good, but unfortunately it can also be the conduit for everything that is bad in the world. While you may be wise to spam emails, phishing emails and files that aren't quite as innocent as they seem, your staff may not be quite so security conscious in their use of the internet. Additionally the growth in social networking is a cause for concern to many employers as these sites can be a huge distraction from day to day work. This is where a security policy comes in to play.
When you take on new staff in your business the last thing on your mind is probably, "how do I make sure that my staff are internet safe"? However by creating a security policy you will have laid out clear lines of responsibilities that will ensure you and your team protect the reputation of your business, as well as preventing your business from potential internet attacks, and from claims by an employee that "they didn't know".
The policy basics
The objective of an internet security policy is to:
- Set the boundaries of employee use.
- Describe what is deemed acceptable behaviour.
- Explain processes and procedures employees should adopt to protect and manage your systems.
- Assign roles and responsibilities for staff so everyone knows their respective tasks.
- Detail the outcomes if the policy is ignored or deliberately breached.
There are no set templates for an Internet Security Policy and most businesses will have a different policy, what you include really depends on what you as the owner find acceptable use, and how you think employees should behave. However there are a few basics that the policy should cover and these include;
- Describe what you consider are acceptable sites for employees to view during work time. This could include online auction, gambling and social networking sites.
- Advice on internet security eg avoid clicking on attachments in emails unless they are expecting the email with the attachment, and they trust the sender, avoiding emailing unencrypted customer data, revealing passwords and logins to colleagues etc.
- Banning all sharing and downloading of copyright material such as songs, films and videos.
- Letting people know their internet access is being monitored and activities will be reviewed.
- Advice on creating secure passwords and enforcing password changes every so often.
- Clearly stating what will happen if anyone breaks any of these rules.
Make it brief and to the point
One of the common mistakes that many businesses make in producing an Internet security policy is to make the policy run to tens of pages, and to pepper the policy with legalese and technical terms, and turn the policy into a long list of threats.
The aim of your policy should not be to produce a policy that only the best legal minds can understand, and it shouldn't be written to worry your employees into thinking that they're not allowed to use the Internet.
Your security policy should be there to help your employees understand the threats the business faces and to give them help and advice. Ideally test the policy out on someone not connected with your business, ask them to read it and see if it helps or hinders. If it helps then you're on the right path if it confuses them then you need to have a rewrite.
Get the employees to buy into the policy
Once you have created your internet security policy it's essential that you explain it and the reasons behind it to your employees, just getting an employee to sign the policy isn't enough. Each new member of staff should be talked through the basics of the policy and the policy explained as well as the potential threats that the business faces.
Lastly, you should periodically check the policy to make sure it is keeping up with the latest Internet innovations and technologies.
For more information on writing a security policy and further help on what you should include, see the InstantSecurityPolicy guide at instantsecuritypolicy.com, and see the section on staff training on the Get Safe Online consortium website.
