How to create an Acceptable Use Policy for Employees

The Cyber Security Agency of Singapore has seen a significant increase in cyberattacks over the last year affecting private users and organizations regardless of size or industry. Breaches are growing more sophisticated and evolving into major systemic dangers as the cyber landscape gets more complicated and dynamic. And with the surge in remote working due to the pandemic, it has increased the surface of cyberattacks. A breach of any company’s network and applications has far-reaching consequences as victims could include large vendors with sizeable customer bases.

Earlier this year, the Cyber Security Agency of Singapore launched the ‘Better Cyber Safe than Sorry’ campaign that focuses on four key elements:

• Using strong passwords and two-factor authentication to better secure online accounts.
• Vigilance and being able to identify signs of phishing.
• Installing anti-virus software to prevent malware infections.
• Regularly running updates and implement software patches to ensure devices are protected.

However, this is simply not enough to safeguard a  company from online threats. The increased frequency of cyberattacks highlights the need for organizations to examine their cybersecurity posture and ensure that their systems are built to be robust against cybercriminals. Furthermore, despite the fact that more individuals are becoming aware of the hazards and consequences of cyberattacks, many users still believe they will not be targeted and victimized.

This emphasizes the need for HR departments to define and enforce an Acceptable Use Policy. It should outline the standards on how employees may use the Internet, a network, or a linked device that touches the organization’s IT infrastructure.

1. Define which websites are acceptable and unacceptable

Employees that visit unsecure or inappropriate websites may unintentionally put your company at risk. There is a chance that the site contains dangerous content particularly with malware on adult and gambling websites. Your staff will know what is and is not acceptable if you have a policy in place.

2. All devices need to be secure

It is not important who owns a device – what is important is securing any device that is used for work purposes. A clear policy is needed to regulate any device ownership model, whether it’s BYOD or corporate owned. Because common business apps might be compromised, mobile device management can help strike a balance between use and control. The more apps your staff install, the more attack routes are available to hackers. Where possible, restrict employees to apps that have been approved by the company. Your policy should also address the various ways in which a mobile device interacts with the outside world. Custom apps are just one example of a possible security hazard. SD cards, Bluetooth connections, and public charging cables come with their own set of dangers. Allow employees to use what they need to stay productive but utilize the Acceptable Use Policy to educate them about potential risks.

3. Limit the use of public Wi-Fi to connect to corporate networks

Although the dangers of using public Wi-Fi hotspots are mostly known, many businesses don’t have a solution in place to safeguard users from a man-in-the-middle (MITM) attack. This is particularly important for employees who travel, and it puts the company at greater risk. Generally, a cybercriminal accesses an open or poorly secured Wi-Fi router commonly found in public places with free Wi-Fi hotspots. Once an attacker gains access, they use tools to intercept and read the data sent by the user as well as install malware, ransomware, or other malicious software to collect login credentials and personal data. Employees should connect using LTE access and hotspots, which is more secure at protecting company data from public Wi-Fi threats. Inform employees on the safest internet connections for accessing company data and systems and assist them in understanding the dangers of using public Wi-Fi, particularly on their mobile devices.

4. Include updates, patches, and password policies

Any user running an outdated operating system is vulnerable and if an operating system is outdated, software apps are also likely to be outdated. So, creating and communicating a patch policy will help in filling those gaps. If possible, use Unified Endpoint Management (UEM) that helps isolate at-risk devices. Traditional mobile device management is surpassed by UEM as IT departments can manage, secure, and deliver resources from a single console to every connected device. The Acceptable Use Policy can also include password rules to adhere to and users can be automatically notified at least once a month to change their passwords that connect to the company network.

5. Ongoing training and honest communication

Regular training sessions on your Acceptable Use Policy and emerging cyber threats will keep your employees safe. Be clear about appropriate behaviors and habits around social media use. Depending on your company, these sites can be seen as unproductive or as valuable tools for marketing and sales. Different employees may feel that online shopping and chatting is normal but may not be tolerated by the company as it is viewed as a company security risk. It is vital to communicate what is permitted according to the organization’s policy.

A Checklist for Creating an Acceptable Use Policy

While many of these controls can be enforced technically, it is still necessary to be clear on what is accepted and what is forbidden.

• Introduction to outline purpose and scope
• Definitions for users, devices, connectivity, and other technology terms
• Compliance with the policy and disciplinary on violations
  • Taking part in any illegal activity
  • Bypass network and device security
  • Installing unauthorized software
  • Sharing confidential information
• Standards for using company email
  • How to share files via email
  • What information should not be included in email
  • How to identify and report phishing scams
  • Not using company email for personal use
• Standards for using the Internet
  • List permitted sites and prohibited sites
  • Outline risks of file sharing sites and provide alternatives
  • How to verify URLs and trusted sources
  • Actions to take with browser warnings
• Social media policy on what is acceptable
• Remote working rules
  • Using devices at home to access company resources
  • Keeping the device and browser updated
  • Checking network settings and privacy settings on social sites
  • Warnings on downloading pirated content
• Cloud Storage guidelines
  • Set out the rules for using sites like OneDrive, Google Drive, and Dropbox
  • Define what can and cannot be synchronized on external storage sites
  • Securing cloud accounts and configuring security
• Password Policy
  • What is classified as a weak and strong password
  • Establish the frequency when passwords need to be changed
• Travelling with devices
  • Keeping devices in clear sight and stored securely
  • Avoid labeling laptop bags and computers with the company name
  • Be aware of inquisitive eyes if using a device in public
  • Do not use public WiFi networks and public USB power plugs
• Using personal devices
  • Keeping the device up-to-date
  • Establish what company data can be stored on personal devices and for how long
  • Frequent and secure backups
  • Protect access to devices with more than just a password
  • Rules around downloading apps from unofficial sites and jailbreaking a device
• Portable media
  • If USB and SD media are allowed, include encryption requirements and specify when portable media can be used for company data

How KRIS Can Help

KRIS Document Management System (DMS) offers a range of features and functions to simplify the management and safeguarding of your digital assets. It offers a secure central repository in which to store all your company’s documents and policies and facilities document workflows that allow you to disseminate important documents to employees who can digitally sign and return records to HR whenever the need arises. HR can also create forms based on templates to ensure regulatory compliance and consistency. The audit trail feature monitors and reports on access and activity in the system providing internal controls and preventing fraud.