Security is essential, hence why we at Smallbiztechnology.com never tire of writing about it and think one can never be too secure. In this guest post from Deborah Galea of Red Earth Software, Galea shares this valuable information on how to develop a security policy for your business:
For companies large and small, a security policy is becoming a necessity as security breaches continue to dominate the headlines. Employees are often the weakest link when it comes to protecting sensitive data. In order to protect company assets and train employees on security precautions, here are 10 elements that must be part and parcel of an effective security policy.
1) Explain the dangers
Start by explaining the dangers of using email, chat, blogging, social media, and being infected by viruses or falling for phishing attacks. This will help employees understand why it is so important for them to follow the guidelines of the security policy.
2) Warn of phishing attacks & viruses
Pay special attention to phishing and virus attacks: Make sure employees understand that they may be targeted either through their work email or personal email by cybercriminals hoping to infect their computer and glean password or account information. Instruct employees not to click on any unfamiliar links that may appear in their email, and to call and verify with the institution if they are unsure if the email is legitimate.
3) Describe employee misconduct
Many employees do not know that they can be held responsible for sending inappropriate emails and chats, regardless of the intent. Make it clear what will not be tolerated in the workplace and encourage employees to speak up immediately if they witness or receive any questionable emails at work.
4) Require strong passwords
Train employees on how to create strong passwords (non-dictionary words of at least 10 characters with upper and lower case letters, special characters and numbers) and change them frequently. Also, encourage your employees to never write down their passwords (they can use password hints instead) or share them via email. That sounds simple, but it’s surprising how many people leave password information on a post-it stuck to their screen.
5) Provide retention guidelines
Explain the company’s retention requirements. Are there certain emails or chats that need to be preserved? Should certain conversations take place via email instead of chat for easier retention? Can employees delete emails, and if so, in which circumstances?
6) Address social media use
Have clear guidelines for social media sites, including personal blogs. Are your employees allowed to discuss work with their friends on Facebook or Twitter? Can they complain about work even if they do not use specific names of coworkers? If not, this needs to be clearly communicated in the security policy.
7) Provide confidentiality guidelines
Determine what kind of confidential information should never be shared over email, chat or social media. This will vary by company, but obviously credit card information, computer passwords and social security numbers should never be communicated via non-secure methods.
8) Discuss email etiquette
This may seem obvious, but especially with younger employees it is important to demonstrate how they should communicate with clients and coworkers while using email. Include in your policy a sample of best etiquette practices. For example, never use all capital letters, do not underline phrases, do not be overly familiar with clients when writing an email, etc. A nasty email can easily be forwarded to a member of the media. Just recently, an email from the head of a PR firm went viral after he sent a note to his staff threatening to fire anyone who used his milk without replacing it. Needless to say, his reputation, and that of his firm, suffered.
9) Describe acceptable personal use
Employees spend so much time at work these days it is expected that they may use work email for limited personal use. However, it should be outlined in the policy that these emails are not private, and could be used in the eDiscovery process if the firm was ever involved in any sort of litigation. So, personal emails being exchanged at work will still be held to the standards as any other email exchanged over the company network.
10) Explain that email and social media use at work is not private
It is important for companies to mitigate legal liability through email and social media monitoring. Ensure that all employees understand that the emails they send and receive at work are not private and that new employees have adequate warnings before they start using the network. Make sure all employees read and sign the policy.
Finally, train your employees regularly. Many companies take a lax view of one-on-one training when it comes to corporate policies. Sometimes a handout or a memo simply isn’t enough. Remind your staff during regular meetings every few months about the importance of the security policy.
To help you on your way we have provided a sample email policy that you can customize for your company.