MENU
As a small business owner, you have rules your employees must follow during their workday, whether they’re in the office or working remotely. That same concept can be applied to their interaction with your company’s computers and digital network – especially since a single mistake can put critical data at risk. By establishing an acceptable use policy, you direct how you expect your employees to use their work computers, devices and the internet while on the clock.
Editor’s note: Need employee monitoring software for your business? Fill out the below questionnaire to have our vendor partners contact you with free information.
An acceptable use policy (AUP) in the workplace, also known as an acceptable usage policy or fair use policy, establishes rules for how employees can use their company’s computer system and access its network. It also covers the kind of data they can use after being granted network access.
An AUP is not just a set of rules for employees using the company’s technological resources. It’s an educational document that teaches employees proper information security and data management practices. It’s also a semi-legal document that can have repercussions for those who don’t follow the guidelines.
Like your remote work policy and attendance policy, your AUP should be written clearly and in plain language. The more understandable your official policies are, the more effective they’ll be.
What sets an AUP apart from other user agreements – like the standard end-user license agreement (EULA) that most people quickly skim before hitting “I accept” – is that it applies to a much larger system. While an EULA is for a single piece of software, an AUP applies to entire networks and websites. It addresses how employees are expected to comport themselves while using your business’s resources. While a EULA focuses on the client (end user), an AUP is for employees.
A digitally connected workplace comes with specific security and cyber risks. An AUP can help mitigate those risks by establishing clear guidelines for your staff on device (e.g., computer, laptop, cell phone) and network usage.
In addition to educating your team on proper and improper device and network use, the policy clearly outlines sanctions that may occur to those who fail to comply. An acceptable use policy can also help legally protect your organization in the event of a security breach or audit. It’s an integral part of every IT security protocol and can prove due diligence.
There are multiple benefits to having an acceptable use policy in place, including the following:
The following elements should be included in your AUP:
Since your AUP is designed to explain what can and cannot take place on your company’s work computers or network, stating what’s forbidden is critical. Your final AUP should tell employees that the following actions will not be tolerated:
Your overall restrictions can also include forbidden websites, email response guidelines and more.
Software installation security practices can protect your business. Any system administrator will likely tell you that installing a new program on a company device is carefully planned and executed. If your company relies on a secure digital environment, you must consider how much freedom employees have to install new software. Without setting guidelines, employees may install software or apps that introduce security risks, exposing the network to unauthorized access by bad actors.
Further bolster your AUP and protect your network and devices by installing the best internet security and antivirus software.
Your employees are accustomed to using their own devices, so some may want to bring them into the office. Additionally, remote work is commonplace, further increasing the use of personal devices for work. If you have a bring-your-own-device (BYOD) policy or allow remote workers to use their personal devices, your AUP must require employees to implement specific mobile device security measures.
While it may be convenient for employees to use their own devices, Ivan Kot, director of customer acquisition at Itransition, said careful consideration is needed for AUPs governing BYOD usage. “Employees often use their personal devices while accessing global and corporate networks through their private channels,” Kot warned. “This raises cybersecurity risks dramatically and exposes corporate infrastructures to external intrusions. In this situation, acceptable use policies are the key documents stipulating acceptable and secure ways for employees to use corporate and personal resources for work-related purposes.”
Your AUP must clearly state that employee monitoring efforts will apply to the use of employee-owned devices only during work hours and that private use will remain private. For remote work, your policy can require a VPN or other encrypted connection service to protect your company’s copyrighted material, personal information and intellectual property from security breaches.
Provide examples of permitted exceptions to mobile device usage in your AUP. For example, if you prohibit using personal mobile apps on a company-issued mobile device, you may want to allow using the weather app and other well-known and low-risk apps.
Social media platforms are incredibly popular; you’re sure to have employees who browse them at work. Though these platforms can be an excellent and immediate source of information, they can also be a massive time suck.
An AUP can set rules banning the use of social media platforms while connected to the network, helping employees manage their time and productivity – incredibly important resources to any small business. You may also want to include rules and restrictions for internet surfing.
A company policy is only as strong as its enforcement measures. An AUP should be a series of rules that will be enforced. Failure to adhere to an AUP can have dire ramifications for the company, so it’s crucial to establish consequences – up to and including legal action – to address employee missteps. The security of your company’s intellectual property and infrastructure depends on it.
Include all ramifications of failure to adhere to the AUP in your disciplinary action policy so everyone understands the consequences.
AUPs are as unique as the companies that adopt them; what works for one setup may not work for yours. As with any other company policy, you must consider how it will change the workplace and what problems may arise from its implementation.
Once you’ve decided what to include in the policy, take the following steps:
Once you’ve decided what to include in your acceptable use policy, you must implement it and enforce it in your company. Here are some tips to smooth the process:
Remote monitoring and management (RMM) software can help businesses monitor their remote workforce’s devices and bolster network security.
Enforcement is a crucial aspect of an AUP. Some businesses employ user activity monitoring software and tools to discover when employees fail to meet the policy’s requirements.
The best employee monitoring software can ensure your AUP is being adhered to properly. For example, our review of ActivTrak and our InterGuard review explain how these solutions can improve cybersecurity and productivity. However, there are pros and cons to monitoring employees. Employees are often leery of this type of software, so employers must tread carefully.
“Individual privacy and freedom remains one of the most disputable issues of AUP,” Kot explained. “Some companies choose to monitor their employees’ devices 24/7 without leaving a chance for private use. Others prefer to determine each and every way employees should perform their work, which deprives employees of any flexibility in their actions.”
When implementing employee monitoring software, be sure to detail its usage in your AUP. You must be crystal clear with your employees about when they will be monitored. Kot encourages business owners to keep their employees’ privacy issues in mind and “opt for reasonable AUP while staying away from hyper-control and setting unnecessary boundaries in employees’ daily work.”
Jennifer Dublino contributed to this article. Source interviews were conducted for a previous version of this article.