top of page
  • Writer's pictureSara Millis

How to create your Acceptable Use Policy (AUP) - A guide for SMEs

Heather is searching the internet for a present for her boyfriend at the front desk again - not a great look for waiting clients. You can certainly take her aside and explain why you'd like her to refrain from that behaviour, but will it stick? An Acceptable Usage Policy is likely more effective in stopping this issue before it becomes a problem you must confront.

In our IT Soho guide, we'll show you how to create your Acceptable Usage Policy in a way that keeps employees on-side and your data safe.

Man working on a laptop outside and smiling.

What is an Acceptable Use Policy?

An Acceptable Use Policy, often called an AUP, is a set of guidelines defining the acceptable and unacceptable use of technology and information within an organisation. Consider it the rulebook for your employee's use of your digital space and data.

Why SMEs need an Acceptable Use Policy

You might wonder, "Why do I need an Acceptable Use Policy (AUP)?" Let's take a look at that with you.

  • Protecting sensitive information - An AUP helps create a secure digital environment, reducing the risk of data breaches and unauthorised access.

  • Mitigating cybersecurity risks - SMEs are increasingly becoming targets for cyber threats. An AUP acts as a proactive defence, outlining cybersecurity best practices and educating employees on potential risks.

  • Ensuring a productive work environment - A clear AUP establishes guidelines for technology usage, ensuring that employees use digital resources for work-related activities. It also fosters a productive work environment and minimises distractions from things like the internet and social media.

  • Legal and compliance considerations - As an SME, staying compliant with relevant laws and regulations is crucial. An AUP helps align your business with legal requirements regarding data protection, privacy, and other cybersecurity-related standards.

But why tailor it specifically for SMEs?

As an SME, you will face unique challenges over your corporate counterparts. These include limited IT resources while needing a diverse technology base (including BYOD schemes) and the possibility of more rapid business growth.

An Acceptable Use Policy ensures a scalable cybersecurity framework under a cost-effective implementation.

Critical components of your AUP

You'll want to include several things in your Acceptable Use Policy. These are:

  1. Scope and applicability - Define the boundaries of your AUP. State to whom the policy applies and the systems or resources it covers.

  2. Responsibilities of users - Highlight employees' obligations when using company or BYOD technology. Include guidelines for safeguarding login credentials, reporting security incidents promptly, and adhering to the policy's guidelines.

  3. Cybersecurity best practices include password management, multifactor authentication and software updates and patches. Establish how individuals should deal with these issues and report potential threats.

  4. Acceptable and unacceptable use - Spell out what constitutes fair use of company resources. Include guidelines for internet usage, social media, and personal device usage during work hours. Equally important is outlining actions that are strictly prohibited.

  5. Consequences of policy violations - Communicate the repercussions of violating the AUP. Consider whether that's warnings and additional training to more severe consequences for repeat offenders. Clarity here is vital for promoting accountability.

Crafting your Acceptable Use Policy

Let's break down the process into actionable steps.

Step 1 - Assess your business needs and potential risks

  • Identify the types of digital resources and technologies your employees use daily.

  • Consider potential threats to sensitive information and operational continuity.

Step 2 - Involve your stakeholders.

  • Involve key personnel from IT, legal, and HR departments to make sure your policy is fit for purpose.

  • Gather insights from employees to understand their needs and challenges.

  • Clearly outline the responsibilities of each stakeholder in the AUP development process.

  • Ensure everyone understands their role in enforcing and adhering to the policy.

Step 3 - Ensure compliance and accessibility

  • Research industry-specific best practices, including enforceable standards like the ISO/IEC 27001.

  • Ensure the language used is clear and understandable by all employees.

  • Include practical examples to illustrate key points.

Step 4 - Outline employee training and awareness

  • Implement ongoing training programs on cybersecurity best practices.

  • Keep employees informed about emerging threats and prevention measures.

  • Clearly define the process for reporting policy violations.

  • Encourage a culture of transparency and accountability.

Step 5 - Enforcing policy

  • Establish a schedule for regular audits of technology usage.

  • Evaluate compliance with the AUP and identify any potential risks.

  • Conduct periodic cybersecurity assessments.

  • Identify vulnerabilities and address them proactively.

  • Clearly define the steps to be taken for a policy violation.

  • Ensure that consequences are applied consistently and fairly.

Step 6 - Policy Review

  • Establish a routine for reviewing and updating the AUP.

  • Create channels for employees to provide feedback on the AUP.

So, will an Acceptable Use Policy stop Heather from using the internet on reception?

While we can't account for a single employee's response, in most cases, staff groups who understand there's a policy and what that means often abide by it.

The reason it's necessary is that whether Heather appreciates your data security or not, you have an enforceable policy that helps protect your business.

How can IT Soho help you?

Our IT support services provide central London businesses with hardware and software that meets their needs. That includes setting up device restrictions, which, in this case, can act as a further deterrent.

If you need managed IT services for your London business, contact Eric today.


bottom of page