8 min read
May 22, 2020
Security

Your Small Business Needs IT Security Policies—Here Are 5 to Prioritize

IT security policies might not seem like a top priority during the current crisis—but they should be. Here’s what small businesses need to know and how they can protect themselves.

Z.C.
Zach CapersSenior Content Analyst

Fifty-four percent of small businesses have recently decided to move a product, service, or event online, according to GetApp research. Retail shops are loading inventories onto the web, dance studios are pivoting to virtual classes, and food trucks are adapting to online ordering for curbside pickup and delivery.

These changes are opening businesses up to a host of information security threats. Increasing digitization creates a larger cyber attack surface by adding new points of access to company data. Likewise, more employees working from home means new connections, applications, and personal devices are being added to company networks.

Despite the increased risk, our research finds that too many small businesses are neglecting IT security policies that protect data and prevent unnecessary financial strain. In this article, we’ll take a closer look at our findings and provide resources to help strengthen your security stature.

Group 3@1x Created with Sketch.

What are IT security policies and why are they so important to your business right now?

IT security policies govern the use of company data and IT resources. These rules and procedures define practices related to system access, data protection, and reporting requirements. IT security policies also guide your employees in their use of technology and help them feel more connected to their responsibilities as stewards of company data.

IT security concerns might not seem like a top priority while navigating the current economic crisis, but small businesses put themselves at a competitive disadvantage by failing to enact security policies that larger companies have nailed down tight. Making matters worse, a cyberattack or data breach is likely to have an outsized impact on a small company's bottom line. And it's a very real possibility.

Cyberattacks related to COVID-19 continue to spread across the internet. Ransomware attacks target vulnerable healthcare organizations, bogus coronavirus apps load malware onto employee devices, and business email compromise (BEC) schemes use phony personal protection equipment to fleece companies out of millions of dollars.

COVID-19 is also being exploited by an array of phishing schemes. In our recent survey of remote workers at small businesses in the UK, 18% of respondents had already been victimized by a novel coronavirus-related phishing email

During a period of extreme financial instability, your small business can’t afford the downtime of a ransomware attack or the impact of a data breach.

Group 3@1x Created with Sketch.

Update your IT security policies to reflect new realities

Small businesses must act now to update their IT security policies—and create those they’ve overlooked. 

We asked more than 500 small business leaders what actions they’ve taken on various policies since the COVID-19 crisis began. Here’s what we heard:

Occupational health and safety policy actions are being driven by concerns around employee health and workplace safety in the context of the novel coronavirus. Likewise, remote work policy actions are being motivated by large swaths of society working from home due to stay-at-home orders and social distancing measures. 

Actions on IT security policies lag well behind the others. Incredibly, nearly a third (31%) of small businesses admit to lacking an IT security policy whatsoever. Another 27% were forced to develop an IT security policy in response to the COVID-19 crisis

In today’s environment, all small businesses must take the time to develop IT security policies to protect against opportunistic cybersecurity threats and costly data breaches.

Group 3@1x Created with Sketch.

5 IT security policies your small business needs

Here are five fundamental IT security policies that your company must have in place to safeguard data in an increasingly digital business.

1. Acceptable use policy

An acceptable use policy (AUP) is your company’s broadest level of IT security policy. It defines acceptable behavior and prohibited activities when accessing the company’s network or internet. Develop a policy that addresses only those risks that are likely to occur, provides clear guidance, and is enforceable.

2. Bring your own device policy

A bring your own device (BYOD) policy governs the responsible use of personal devices that access company systems or data, a practice that is becoming more and more common. Our recent survey found that 61% of small business employees use a personal device when working remotely. A BYOD policy mitigates the risks associated with allowing a variety of personal devices to access your network.

3. Password policy

A password policy sets the password protocols by which users are granted logical access to company systems, data, and devices. These include requirements for password length and complexity, along with limitations on password aging, reuse, and failed logins.

4. Remote access policy

A remote access policy balances data protection with the network access needs of remote workers. It defines rules for connecting to the company network and establishes requirements for the use of routers, Wi-Fi, firewalls, and VPN software. Remote access policies can include BYOD and password policies as subsections.

5. Data classification policy

A data classification policy categorizes information into levels such as public, internal, or confidential. This allows companies to restrict sensitive information to those who need it while helping track critical or regulated business data. Data classification also makes it easier for employees to make better decisions when accessing or transmitting sensitive information.

Group 3@1x Created with Sketch.

Develop security awareness training for your employees

An IT security policy is only effective if employees know about it. Our survey found that only 13% of small businesses have administered IT security training since the COVID-19 crisis began.

To help small businesses like yours offer IT security training, we’ve created a comprehensive guide to developing a free information security awareness training program. 


Pro tip: Incorporate storytelling into security awareness training. Relevant security stories make risks more relatable and consequences more tangible. In turn, employees are more likely to alter behavior and improve decision-making around security concerns.


To protect against advanced phishing threats and BEC schemes, employees must learn about social engineering maneuvers that seek to exploit their emotions. These methods are favorites of cybercriminals looking to access company data or commit fraud. Click here to read our report on social engineering techniques and go here to learn more about BEC schemes—now the costliest form of internet crime in the U.S.

IT security training can be a bit dry, and less than captivating. To combat this, use a learning management system (LMS) to foster interaction, improve engagement, and boost information retention. LMS software also tracks compliance and ensures that all employees receive a consistent training experience.

Group 3@1x Created with Sketch.

Ready to develop your IT security policies?

Methodology and Disclaimer

GetApp’s digital transformation survey was conducted by GetApp in April 2020 among 503 respondents who reported executive leadership roles at small businesses with 250 or fewer employees.

GetApp’s global remote worker survey was conducted in April 2020 among respondents from 9 countries including 491 from the United Kingdom. Respondents indicated employment at small businesses with 2-250 employees.

This document, while intended to inform our clients about the importance of IT security policies, is in no way intended to provide legal advice or to endorse a specific course of action.

Back to top