Why Your Business Can't Afford to Ignore User Policies

In today’s digital age, the misuse of company systems has become a pressing concern for many organizations. The challenge often lies in clearly defining what constitutes misuse. Activities such as using company computers for personal tasks, visiting restricted websites, or downloading unauthorized software can have severe repercussions. Even beyond the threat of cyber-attacks, there are gray areas in user policies, like an employee using their lunch break to browse non-work-related information. Typically, user policies delineate how employees can and cannot use company systems. For a policy to be effective, it must be unambiguous and specific. Ambiguities can lead to complex situations for both employees and organizations.

The Importance of Clear Policies

Every organization should establish specific policies that are applied consistently across the board. For example, stating that “computers and internet access are for business purposes only” can be problematic. Consider an employee who uses a company computer to check their personal email for just a few minutes. If this is deemed acceptable and the policy is not enforced, but another employee is later terminated for spending a couple of hours surfing the internet, this could be perceived as unfair and potentially lead to legal complications.

Allowing personal use during breaks can also introduce risks. For instance, an employee might download a ransomware virus from a personal email, resulting in significant financial losses. Other potential areas of misuse include password sharing, data copying, and leaving sessions open when employees go for lunch. All these issues can substantially impact the security of your network and should be clearly addressed in your user policies.

Key Areas of Effective User Policies

Effective user policies should encompass several critical areas:

Passwords
Internet usage
Email attachments
Software installation and removal
Instant messaging
Desktop configuration
Data security

Passwords and Security

Maintaining password security is paramount. Historically, a strong password was considered to be six to eight characters long, including numbers and special characters, and unrelated to the user. For example, a user might be advised to use a password like “K%t1fPe987” instead of something personal like “seniseviyorum” or “canavarlar.” However, such personal passwords can be easily guessed by cyber attackers.

While complexity requirements are still recommended, today’s standards suggest using passwords that are 12 characters or longer. User policies should dictate how end-users should manage their passwords. For instance, writing a password on a Post-it note and sticking it to a computer monitor is not secure, regardless of how complex the password is. This practice is surprisingly common and poses a significant security risk.

Sharing passwords among employees is another common issue. For example, an employee going out of town might share their password with a colleague to check emails. This practice increases the risk of the password being shared further, compromising security. Policies should clearly state that passwords should never be written down or shared. If an employee suspects their password has been compromised, they should immediately contact the IT department to change it and monitor any login attempts with the old password.

Internet Usage Policy

Most organizations provide internet access to their employees, primarily for email communication. However, internet access also comes with risks, such as web surfing and using chat rooms, which can lead to serious security issues. Appropriate policies should be in place to manage the use of these technologies.

The web is a valuable resource for information and education. However, it can also be used for non-technical commercial interests. Examples of legitimate business uses of the web include:

Sales personnel checking competitor websites for product or service sales accounts
Creditors checking a company’s financial ratings for performance
Employees checking weather conditions and travel prices for business trips

On the other hand, some web activities are clearly inappropriate for a company’s network, such as: