enardeitjaptrues

In a world before smartphones, social media, and hybrid workplaces, an acceptable use policy was a lot easier to write—and to enforce. These days, it’s a lot more complicated. Work can take place almost anywhere, on any number of devices. An employee can accept a job and then never physically set foot in the office, working from home (or the Caribbean) on their personal laptop. That’s why an acceptable use policy, or AUP, is more critical than ever—not just to protect the organization, but to protect employees as well.

What is an acceptable use policy?

From an IT perspective, an AUP outlines the acceptable use of corporate data, devices, and networks. In a hybrid workplace, that policy should also include terms and conditions for working on personal devices or home networks. And it should include guests, gig workers, contractors, and other non-employees who use company systems and networks.

Even if some of those terms and conditions may seem obvious (such as not watching porn on a company-issued laptop), it’s still important to have employees sign off on the policy so they’re aware of the rules—and the consequences of breaking them. After all, we may have speed limits, but people still speed.

“People know that cybersecurity is important,” says Alex Michaels, principal adviser at Gartner. “They just aren’t doing what we want them to do.” That’s because they may not view cybersecurity as their personal responsibility. Yet, a significant number of data breaches are caused by human error, such as clicking on a malicious link. The problem is that many AUPs are written in technical jargon, containing “thou shalt not” phrases. Or the security team printed out a generic template they found on the internet. But there are much more progressive—and effective—approaches to establishing and enforcing policies.

“A lot of people in the security space grew up in the security space,” Michaels says. “But what about involving experts who have knowledge in behavioral economics and change management? Those types of things should be part of the conversation as you write your policies and as you look to shift and reframe the perception of security.”

AUPs set rules around IT security policies

An AUP typically sets rules around IT security policies, such as passwords, authentication procedures, and the use of public Wi-Fi. It can also be used to set standards of behavior on social media sites.