How to create
an effective
use policy

Author: David Grady

The rapid shift to remote working driven by the COVID-19 pandemic has brought increased cybersecurity risks and attacks. Having the right security policies in place—and consistently enforcing them—can help keep your organization safe. One key priority that companies should have is put in place effective acceptable use policies for workplace technology.

What is an acceptable use policy?

An acceptable use policy sets clear boundaries on behavior for using company resources and data. A strong policy, reinforced with user training, can help create a secure foundation for your organization.

Responsibility for developing, delivering and enforcing the acceptable use policy should be shared between HR, legal, IT security, and IT support stakeholders. The policy helps limit insider threat risk—the risk from actions of employees, consumers, contractors and vendors. Anyone permitted to interact with your company’s IT infrastructure should know exactly what is expected of them—and what is forbidden—through the policy.

Operating without a clear acceptable use policy can increase risk of things like:

  • Accidental data breaches—e.g. sensitive data leaking outside your organization because employees copied it to their personal cloud storage accounts.
  • Business operations disruption—e.g. data loss and disabled networks because inappropriate web browsing introduced ransomware.
  • Reputational damage—data breaches that become public can harm brand and investor confidence especially if the breach was easily avoidable.          

What should an acceptable use policy cover?

Comprehensiveness and clarity are the two things to focus on in an acceptable use policy. You have to think through the technologies that users interface with, the services they use, and the misuse and mistakes that can happen. You also have to think through how users will understand the policy and its application. You want to encourage acceptance, and reporting of violations by all users—not just ordinary employees. Risk won’t be reduced if users aren’t complying and supporting compliance. The following are recommendations for a robust policy.

Cover both inadvertent and intentional actions of users

Use clear, plain language to promote understanding and acceptance. Things that might not be permitted include:

  • Checking personal emails using a work computer—this could introduce an unmonitored attack vector for phishing, ransomware and other malware.
  • Storing company data on personal storage—data breaches or theft may occur from poorly secured or maliciously used personal storage accounts.

It can also help to offer examples of permitted alternatives

This is important where corporate assets are not used solely for business purposes, or where employees might expect some leeway in internet usage and time management. Examples:

  • Using a company smartphone to check the weather on the way to a meeting. No-one wants to get caught in the rain.
  • Reading the headlines of a popular news site during a lunch break. Reputable mainstream new sites tend to be relatively low-risk.

Make clear how policy compliance is monitored and enforced

It could include an anonymous tip-line, random audits, web proxy logging, etc. Knowing that compliance is monitored encourages voluntary reporting, and it can deter violations.

Cover every user 

Too many organizations grant exceptions to management and leadership. However, attackers need only one weak point to gain entry, and common gaps and mistakes make it easy for them. Additionally, users are less likely to report policy violations if they’ve seen prior violations go unaddressed. 

Cover social media use

The policy should cover users in roles that require them to post on behalf of the company, as well as those who do not require direct access. It’s important that users know exactly what is appropriate.

What acceptable use policy rules are recommended for remote work?

Remote working needs special focus in an acceptable use policy, especially in light of the growth of remote work from the COVID-19 pandemic. Remote work through mobile devices creates new environment, with new risk considerations like loss, theft, unauthorized apps, and failure to keep systems updated and patched. Below are some recommended rules.

Secure BYOD together with company-owned mobile devices

Whether your business follows a bring-your-own-device (BYOD), corporate-owned but personally enabled (COPE) or other device-enablement policy, be sure that all devices accessing corporate data are secure. Remind employees working remotely that it is their responsibility to protect company systems and data regardless of what device they use to access them.

Specify which mobile devices may be used for business functions and in what situations

The specifications should include listing which devices may be used to access and store any given information. This is particularly important for companies that implement bring-your own-device policies. Make information available from these devices through mobile device management platforms, but check that the data being collected matches the content outlined in your acceptable use policy.

Ensure operating systems are patched and up to date

An out-of-date or unpatched operating system (OS) makes your system more vulnerable and susceptible to attacks. When an OS is outdated, it’s likely your apps are as well. Establish expectations for your employees to keep their OS and apps updated and patched. 

Limit your apps to what’s company approved

It’s not always enough to hope employees and partners follow policy; deploying technical controls can force compliance with the limitations described in a policy.  For example, an acceptable use policy may state that “checking personal email with company-issued devices” is forbidden, so you may want to block such sites via web proxy.  Mobile apps are another way your data can be compromised; hackers can enter your system through mobile apps, even including well known business apps. Forty-three percent of companies prohibit their employees from using apps that aren’t from the company or an official app store.1 Controls exist to support limiting your employee app installation on company devices to app stores and company-sanctioned sites.

Remind employees to be vigilant against phishing

With employees working from home, it’s easy to use mobile devices to respond to emails. However, mobile users tend to be more vulnerable to a phishing attack than those on other devices. Set guidelines for your employees to be vigilant against phishing and report its occurrence.

Closing thoughts:

Your acceptable use policy helps manage insider threat risk by providing clear boundaries for company resource and data use.  It should be a shared responsibility between HR, legal, IT security, and IT support stakeholders. Make sure the policy is understandable and written in clear, plain language.  Also, make sure it is comprehensive, covering intentional and unintentional actions by all users—employees at all levels, consumers, contractors and vendors.

Reinforce it with user training to help create a secure foundation for your organization. Anyone permitted to interact with your IT infrastructure should know exactly what is expected of them through the policy.

For a full list of recommended acceptable use policy rules, see the Verizon Acceptable-Use Policy Guide and you can learn how Verizon’s security and protection services can help you secure your business.

David Grady is an ISACA-Certified Information Security Manager (CISM) and Chief Cybersecurity Evangelist at Verizon Business Group.