As a small business owner, you have rules that your employees must follow throughout their day. That same concept can be applied to their interaction with your company's computers and digital network – especially since a single mistake can put important data at risk. By establishing an acceptable use policy, you direct how you expect your employees to use their work computers and the internet while on the clock.
Editor's note: Need employee monitoring software for your business? Fill out the below questionnaire to have our vendor partners contact you with free information.
What is an acceptable use policy (AUP)?
An acceptable use policy (AUP) in the workplace, also known as an acceptable usage policy or fair use policy, establishes rules for how employees can use their company's computer system and access its network, as well as what kind of data they can use once they're granted network access.
An AUP is not just a set of rules for how your employees can use the company's technological resources, but also an educational document to teach proper information security practices to your employees. It's also a semilegal document that can have repercussions for those who break the guidelines.
Acceptable use policy vs end-user license agreement
What sets an AUP apart from other user agreements – like the common end-user license agreement (EULA) that most people quickly skim before hitting "I accept" – is that it applies to a much larger system. While a EULA is for a single piece of software, an AUP applies to entire networks, websites, and how a person is expected to comport themselves while using your business's resources. While a EULA focuses on the client (end user), an AUP is for employees.
Why do you need an acceptable use policy?
A digitally connected workplace comes with certain security risks. An AUP can help you mitigate those risks by establishing clear guidelines for your staff on device (e.g., computer, laptop, cellphone) and network usage.
In addition to educating your team on what constitutes proper and improper use, the policy clearly outlines sanctions that may occur to those who fail to comply. An acceptable use policy can also help legally protect your organization in the event of a security breach or audit. It is an integral part of every IT security protocol and can prove due diligence.
What should you include in an acceptable use policy?
There are certain things you should immediately consider including in the document:
1. Overall restrictions
Since your AUP is designed to explain what can and cannot take place on your company's work computers or network, it's important for you to state what's forbidden. Your final AUP should tell employees that the following actions will not be tolerated:
- Taking part in any illegal activity
- Bypassing device and network security
- Participating in unauthorized electronic communication
- Installing malicious software
- Disclosing confidential information
2. Software installation rules
Any system administrator will likely tell you that the process of installing a new program to a company device is a carefully planned-out and executed process. If your company relies on a secure digital environment, you'll likely need to consider how much freedom your employees have to install new software. Without setting up guidelines, employees may install software or apps that introduce security risks, exposing the network to unauthorized access by bad actors.
3. BYOD and remote work policy
Your employees are accustomed to using their own devices, so some of them will probably want to bring their own devices into the office. Also, thanks to the state of the world in recent months, many people are now working from home and using their personal devices for work much more frequently. If you're going to allow this practice, you need to require in your AUP that employees implement certain security measures on their devices.
The policy needs to be clear that employee monitoring efforts will only apply to the use of employee-owned devices used during work hours and that private use will remain private. For remote work, your policy can require the use of a VPN or other encrypted connection service to protect your company's copyrighted material, personal information and intellectual property from security breaches.
4. Consequences
A company policy is only as strong as its enforcement measures. An AUP is supposed to be a series of rules that will be enforced. Failure to adhere to your AUP can have dire ramifications for the company, so it's important to establish consequences – up to and including legal action – to address employee missteps. The security of your company's intellectual property and infrastructure depend on it.
How do you create your own acceptable use policy?
AUPs are as unique as the companies that adopt them; what works for one setup may not work for yours. As with any other company policy, you need to consider how it will change the workplace and what problems may arise from its implementation.
Follow these six tips as you decide how to govern your employees' on-the-job computer and internet use.
1. Find a template.
You can find premade templates that fit your needs online. The SANS Institute, for example, has an acceptable use policy template that "defines acceptable use of equipment and computing services, and the appropriate employee security measures to protect the organization's corporate resources and proprietary information."
2. Clarify any jargon.
Clunky jargon can get in the way of your employees understanding what you're saying. If you want to ensure that your employees know what's important to your company's data security, you'll need to explain exactly what you mean. Your workers should know why certain data must be backed up, why they should use an encrypted connection when sending files, and what constitutes sensitive information.
3. Follow any applicable legal regulations.
An AUP mostly consists of best practices and guidelines, but some companies are subject to additional regulations, including federal and international laws. Since a good AUP will bolster your data security, keep any regulatory concerns in mind when drafting your AUP. For example, if your company deals with healthcare issues, you may be required to follow federal HIPAA guidelines, PCI regulations and GDPR rules. You must also make sure that the AUP follows state, federal and local security laws.
4. Cover personal devices in the policy.
Thanks to the proliferation of smartphones and other internet-enabled devices, many employees use their own devices on company networks. A survey by Frost & Sullivan revealed that "nearly 70% of U.S. businesses currently support 'bring-your-own-device' (BYOD)."
While it may be convenient for employees to use their own devices, Ivan Kot, senior manager at Itransition, said careful consideration needs to be taken for BYOD policies. "Employees often use their personal devices while accessing global and corporate networks through their private channels," he said. "This raises cybersecurity risks dramatically and exposes corporate infrastructures to external intrusions. In this situation, acceptable use policies are the key documents stipulating acceptable and secure ways for employees to use corporate and personal resources for work-related purposes."
5. Set guidelines for social media use.
Social media platforms are incredibly popular; you're sure to have employees who browse those services at work. Though they can be a great and immediate source of information, they can also be a massive time suck. An AUP can set rules banning the use of social media platforms while connected to the network, helping employees manage their time and productivity, which are incredibly important resources to any small business.
6. Keep an open mind on revisions.
When your policy is finally set and your employees have all signed documents acknowledging that they've received and understood it, remember that you'll likely need to make changes to the policy at some point. Technology is always evolving, so the measures you'll need to consider for your AUP will change.
What privacy concerns exist with an acceptable use policy?
Enforcement is an important aspect of an AUP, but without the use of top employee monitoring software, it would be hard to prove that an employee failed to meet the policy's requirements. However, by that kind of software's very nature, employees tend to be leery of when and where the company could be watching, since it can do things like track a person's IP address. [For some employee monitoring software recommendations, check out our review of ActivTrak and our InterGuard review.]
"Individual privacy and freedom remains one of the most disputable issues of AUP," Kot said. "Some companies choose to monitor their employees' devices 24/7 without leaving a chance for private use. Others prefer to determine each and every way employees should perform their work, which deprives employees of any flexibility in their actions."
When implementing an employee monitoring software solution and including it in your AUP, you should be crystal clear with your employees about when they will be monitored. Kot encourages business owners to keep their employees' privacy issues in mind and "opt for reasonable AUP while staying away from hyper-control and setting unnecessary boundaries in employees' daily work." [Read related article: Why You Should Tell Your Employees You're Monitoring Them]
Additional reporting by Skye Schooley. Some source interviews were conducted for a previous version of this article.