The impact technology is having on our lives is undeniable, and nowhere is this more evident than in the workplace. Where businesses used to be able to have a single page of their ‘Employee Handbook’ devoted to ‘Computer Usage’, there are now far more factors to consider, both internal and external, which need to be addressed to ensure everyone in the workplace is clear on where the business stands on technology related issues – and what action will need be taken when necessary.
In our experience, the 5 absolutely critical Policies you should ensure that your business has well-documented and ensured everyone reads are as follows:
- Acceptable Use Policy – Essentially a replacement for the old ‘Computer Usage’ page of the Handbook, this policy details a lot of things that really should go without saying for the majority of people who have seen the rise of technology in the workplace. Strangely though, the number of terminations out there due to Acceptable Usage Policy breaches indicates that there are still people who think they can do whatever they want, whenever they want – often engaging in potentially illegal or lewd activities – whilst using workplace resources and on company time.
- Company Equipment/Bring Your Own Device (BYOD) Policy – Where the above Policy focuses more on Software/Systems/Websites allowed (or prohibited), this policy needs to address the potential for issues unique to businesses which provide their employees with equipment – be it Laptop/Tablet/Phone – or allow Users to bring in their own devices. BYOD can seem like a win-win all round: the business doesn’t have to fork out for new equipment when they onboard a new user, and the user gets to keep using their own device they are familiar with and has everything they could ever want. But without an I.T. Security Team at home, who knows what else is on that Laptop they want to use to store your confidential corporate data on…
- Basic Security Policy – This should cover everything from not letting unauthorised individuals access company owned systems, through to Password Policies – both length/complexity as well as method of storage (i.e. KeePass/other encrypted forms = okay, post-it-notes stuck on monitor = definitely not okay). This should also be where you detail appropriate actions/responses to the majority of threats present today – to checking the target URL on links in emails before clicking them, to checking in person/over the phone if the business owner asks for a large amount of money to be transferred to a brand new account (an increasingly common social engineering hack).
- Data Breach Reporting & Response Policy – If any of the above policies fail to protect you, it is now written into law that you need to have a policy around what to do when your Clients’ data gets in to the hands of someone it shouldn’t. Unfortunately in our experience most people seem to think this policy only comes in to effect when they suffer a major breach/hack such as having their entire client database stolen. The truth is, the definition of a Notifiable Data Breach under this legislation could be as simple as sending an email to the wrong ‘John Smith’ – depending on the contents of that email. This policy should detail out the exact steps to rectify these issues for all involved, as well as provide guidance on what breaches need to be notified to the Office of the Australian Information Commissioner as per the law.
- Business Continuity Policy – Often also called a ‘Disaster Recovery Plan’, this policy though shouldn’t just be about when a major natural disaster occurs like fire or flooding. Rather, there are many other factors which could affect the continuity of your business processes. What impact would it have if you were without internet for a couple of hours? What about a week or more like the entire nation of Tonga back in January?? And what about a business phone line, could you go without that for a week? In addition to documenting your Data Backup & Recovery Strategy, a true Business Continuity Plan should detail what steps will be taken to address all these possible roadblocks – and more – to ensure that the business can continue no matter what the world throws at it.
If you find you are lacking any of the above essential policies in your business, contact the Altitude Innovations Team to help you protect your digital assets – and your reputation.