Security Awareness Training: Why You Need a Corporate Acceptable Use Policy
These days, organizations are more likely to be targeted by cyberattacks, which can often cause considerable damage to their reputations and operations. This is why organizations must write and implement acceptable use policies—regardless of size. Companies need to establish policies that spell out what employees can and cannot do when using company IT assets, both on and off the corporate network.
A corporate acceptable use policy (AUP) should include everything from the basics—creating strong passwords and defining what software apps can be installed on company devices—to knowing what types of devices employees are allowed to connect to the network.
Keep reading to learn what a corporate acceptable use policy is, the key areas that should be included, and some pro tips for enhancing your security awareness training.
What is a corporate acceptable use policy (AUP)?
A corporate acceptable use policy is a formal document that provides guidance on the rules and guidelines for employees and other stakeholders when using the company’s IT resources. These resources commonly include computers, laptops, mobile devices, networks, software, email accounts, and internet access.
A corporate acceptable use policy sets the rules for IT security policies, such as passwords, system access, and device usage, and defines acceptable use of corporate assets and communications.
These key stakeholders should develop your policy:
- Executive management
- Legal
- Human resources
- IT
These stakeholders should clearly define who the policy applies to, what is acceptable, what’s not acceptable, and the consequences of violation. At the end of the day, it’s about protecting not only the company’s digital assets and reputation but also the people who work there.
How an AUP protects IT assets
The protection of IT assets is a vital element in maintaining the integrity and security of any organization’s IT infrastructure. AUPs play a pivotal role in this protection by clearly defining what is and isn’t permissible in terms of:
- Hardware: USB drives
- Software: Don’t install unapproved software
- Networks: What devices are allowed to use the network and how to use devices off the network
- Data access: Define what devices can/cannot access company data and how it’s to be used
By explicitly stating the types of hardware that can be used, who is authorized to use them, and under what circumstances, you are minimizing the risks associated with physical devices.
4 key areas to include in your AUP
When creating or revising an AUP, your stakeholders will need to consider four key areas. These areas can set the security posture and internal security culture for your organization and your employees.
1. USB drives
USB drives are often used in cyberattacks. If an employee wants to access files from a USB drive, have them work with the IT department to test it on a segmented machine. If it is an infected USB drive, then the virus will be contained, and business can continue as usual.
Encourage employees to always throw out any free USB drives they may receive—especially those received at conferences or industry-related trade shows. It’s not worth the risk. And don’t forget to remind them to never plug a USB drive into a company computer.
If employees need to use USB drives on corporate devices, provide them with safe, company-supplied drives only. Having a supply from a reputable source is a good idea because they are inexpensive, and the peace of mind is worth it alone. This can also be part of your overall security awareness training.
2. Approved software
An AUP is imperative when it comes to software. It should verify that only approved programs are installed on corporate devices. This policy should outline the process for software approval and the ramifications of deploying unapproved software. Unverified software can pose significant security risks, creating vulnerabilities that could lead to cyberattacks and other security breaches.
The goal of an AUP is to reduce these risks by controlling what software can be installed based on user access needs. You AUP can also intertwine security procedures that include valid use cases for software approval for employees based on their roles within the company. This ensures that all software goes through a thorough security review and verification prior to approval. This safeguards the organization’s IT infrastructure while maintaining industry compliance with legal and regulatory standards.
3. Bring your own device (BYOD)
When an employee brings their personal phone, tablet, or laptop to work for use, what is the process for them to access the network with it? If you don’t have a BYOD policy, you need to start thinking about how your organization can better protect your assets.
A few questions to explore when implementing this can include:
- What types of devices can employees use on the corporate network?
- Can employees connect their personal devices to the corporate network or Wi-Fi?
- Can guests use the network or Wi-Fi?
- If employees and guests can connect their own devices to the corporate network, are there any restrictions about what they can do on the network?
- Is there a designated guest network for devices not issued by the company?
The idea of a BYOD policy is that IT should be able to quarantine any device regardless of who purchased it. Make sure your employees know that their personal devices can be quarantined and confiscated in case of an incident. HR should ensure employees who use their own devices have signed off on this policy, as it may affect their devices.
4. External networks
Similar to the BYOD policy, you’ll also want to provide guidelines around how employees use company-issued devices on other networks.
These guidelines can include:
- Can employees connect company-owned devices to other networks at all?
- What types of networks can company-owned devices be connected to? For example, a private home network, a private network operated by another company, or a public coffee shop network.
- Are there legal safeguards and protection in place in the event an employee misuses company resources for nefarious reasons? It’s important to remember that employees are often your company’s spokespeople, and damaging behavior from an employee can negatively impact the organization.
- Is the BYOD or IT policy promoting a digitally safe and productive environment for all employees? By reviewing user activity on the network regarding personal usage, non-business web activity, or the viewership of offensive content, you can ensure a collaborative and secure work environment.
- Will there be any compliance issues with regulatory requirements within your company’s industry for your AUP? Many companies must still ensure that implementing their AUP will adhere to regulatory requirements for multiple government regulations, including HIPAA, PCI/DSS, and GDPR. These must be considered when building out your AUP.
Pro tips for security awareness training
To start, create acceptable use policies or refresh the ones you already have to reflect the suggestions in this article. Then, share the policies with employees and train them on how to implement them.
Here are some tips to reinforce that training:
Acceptable use policies
- Make it interactive
- Use real-world examples that mirror your business
- Make it relevant by adapting training to your company’s roles and responsibilities
- Regularly update and reinforce the training
Check out our entire series on security awareness training: