(817) 439-3051

Technology

4 Gmail Enhancements That Can Help Your Business
4 Gmail Enhancements That Can Help Your Business

Google is totally revamping Gmail. Here are four enhancements that can help you and your employees be more secure and work more productively when using Gmail.


Despite being the flagship offering in Google’s G Suite, Gmail has not received a major update since 2011. That is changing, though. Google has overhauled Gmail to help businesses operate more efficiently and securely. The updated version — which Google refers to as the “new Gmail” — is available through G Suite’s Early Adopter Program. In addition, some of the features are already generally available.

Here are four Gmail enhancements that can help you and your employees be more secure and work more productively:

1. Confidential Mode

Google has added a new confidential mode that is designed to help protect sensitive information in emails. When you use the confidential mode to send an email, the options to forward, copy, download, and print are disabled. This makes it harder (but not impossible) for the recipient to share the information. (If the recipient is determined to share the contents, he or she could, for example, take a screenshot of the email and share the screenshot.)

To further protect sensitive data, you can set an expiration date for the email. After that date, the email’s contents will disappear. The recipient will still be able to see the subject line, though. By setting an expiration date, you can rest assured knowing that your email won’t be sitting around in the recipient’s inbox for a long time, which could be problematic if the person’s email account is hacked.

You can also use two-factor authentication (a.k.a. two-step verification) to protect an email when in the confidential mode. To view your email, the recipient will need to verify his or her identity with a passcode. This passcode is sent via text message to the recipient’s phone.

2. User-Friendly Security Warnings

Hackers like to use emails to spread malware, steal data, and con businesses out of money. While Gmail has flagged suspicious emails for some time, Google has redesigned the security warnings. Besides being bigger and bolder, they are easier to understand.

For example, a security warning might state “This message seems dangerous. It might be trying to steal your personal information. Don’t click any links unless you trust the sender.” A warning might also include a “Delete now” button that employees can use to easily remove the suspicious email from their Inboxes.

3. Nudge

If you often have to reply to emails, the Nudge feature can save you time and possibly keep you from dropping the ball. Nudge scans your Inbox, looking for important emails to which you have not yet responded. When it finds one that is older than two days, it moves the email back to the top of your inbox and flags it with a message such as “Received 3 days ago. Reply?” Thus, Nudge not only reminds you to reply to emails but also saves you from having to hunt through a long list of emails to find those needing your attention.

Nudge also scans your Sent Mail folder, looking for emails for which you are awaiting a response. If a recipient has not replied to your email within three days, Nudge places a copy of the email you sent in your Inbox and flags it with a message such as “Sent 4 days ago. Follow up?”

To determine which emails should be flagged, Gmail uses artificial intelligence technologies, including machine learning. As time goes on, Gmail should more accurately determine what is truly important to you. If you find that is not the case, you can disable the Nudges feature.

4. Native Offline Support

Google has fulfilled customers’ requests for native offline support in Gmail. The offline version works exactly like the online version. This means that you can, for example, write emails, search your Inbox, and delete unwanted messages even if you are on a plane. When you are back online, Gmail will automatically sync the two versions.

These Password Recommendations Might Surprise You
These Password Recommendations Might Surprise You

The US National Institute of Standards and Technology (NIST) has some surprising recommendations that might prompt you to rethink your business’s password policies. Learn why change is needed and what NIST is recommending that companies do.


It’s time for a pop quiz. Is the following statement true or false?

It is best for businesses to require that employees create long, random passwords that include mixed-case letters, numbers, and symbols.

For a long time, the prevailing belief was that this statement was true, so many companies included composition rules in their password policies. However, the US National Institute of Standards and Technology (NIST) now believes these rules are hurting rather than helping businesses.

In a perfect world, employees follow their companies’ password policies and create long, random passwords that include mixed-case letters, numbers, and symbols. The passwords are strong and thus much harder to hack. However, these complex passwords are also much harder to create and remember, especially if employees are required to frequently change their passwords. As a result, in the real world, employees tend to create shorter passwords and often use tricks such as letter substitution. For example, they might use a zero for the letter “o” and an @ sign for the letter “a” to create passwords such as “MyP@ssw0rd”. Cybercriminals know these tricks, so passwords like “MyP@ssw0rd” are far from strong, even though they contain mixed-cased letters, symbols, and numbers.

Because of these issues, NIST now recommends that organizations follow different password practices. They include using passphrases, eliminating periodic password changes, and validating passphrases.

Use Passphrases

Instead of forcing people to create complex passwords that include numbers, symbols, and mixed-case letters, NIST recommends using “memorized secrets” — passphrases that are simple, long, and easy to remember.

When creating memorized secrets, people do not have to follow any composition rules. They can use any characters they want (including spaces), as long as the passphrases are very long. Longer passwords are cryptographically harder to break than shorter ones, even if the shorter ones include special characters, according to Paul Grassi, a senior standards and technology advisor at NIST.

Plus, passphrases without special characters are much easier to remember. For example, “potbellied puppies rule” is more memorable than “mN8b%Rc7”. Plus, “potbellied puppies rule” is much harder to crack. On an average computer, it would take more than 10,000 centuries to hack using a brute-force password-cracking tool, according to Kaspersky Lab’s password strength checker. Even the shorter passphrase “potbellied puppies” would take 11 centuries. In contrast, it would take only 12 days to crack “mN8b%Rc7” and just 3 minutes to hack “MyP@ssw0rd”.

While the passphrase needs to be something that the creator will readily remember, other people should not be able to guess it. For example, an employee should not create a memorized secret consisting of family members’ names. This information often can be gleaned from publicly available data sources such as social networking sites.

Plus, it is important to keep in mind how many passphrases employees will need to remember. Having to remember a bunch of them might prove difficult, prompting some people to write them down. A better option would be to use a password manager. Employees could create and use a passphrase to access the password manager and then use the tool’s random password generator to create strong passwords for their business accounts.

Eliminate Periodic Password Changes

Businesses often require employees to change their passwords periodically (e.g., every 90 days). NIST recommends that this practice be eliminated. Here’s why: An expired password usually does not motivate people to create a brand new strong password, according to Grassi. Instead, it motivates them to change a few characters in the old password or follow the next logical progression in a password system they developed. Frequent password changes can also compel people into using another account’s password so that they have one less password to remember. All of these actions can result in weak passwords.

The bottom line is that memorized secrets should not have an expiration date. The only time a passphrase needs to be changed is if it has been compromised or an employee requests a change.

Validate Passphrases

NIST recommends that organizations validate passphrases when people initially create or change their memorized secrets. After an employee enters a new passphrase, it should be checked against a list of passwords known to be compromised, expected, or commonly used. If the employee’s passphrase is on the list, the validation system should reject it and prompt the employee to enter a different one.

Each company needs to determine what to include on the list. For instance, the list might include the following:

  • Passwords exposed in known data breaches (e.g., entries in the Pwned Passwords database).
  • Passwords consisting of repetitive characters (e.g., “zzzzzzzzzzzzzzzzzzzzzzzzz”)
  • Passwords consisting sequential characters (e.g., “123456890987654321” or “qwertyuiop”)
  • Passwords containing context-specific terms (e.g., a username or email address)

Not Sold? There Are Other Options

NIST’s recommendations represent a significant divergence from current password practices. If you are not sold on the proposed changes, there are other ways to mitigate the risks brought about by weak passwords. For example, you might consider using two-step verification. We can go over all your options and help you implement the solution you feel is best for your business.

5 Sections You Might Want to Include in Your Cloud Computing Policy
5 Sections You Might Want to Include in Your Cloud Computing Policy

Having a cloud computing policy is important if your business uses cloud services. Here are five sections that you might want to include in it.


If your business uses cloud services, it is a good idea to have a cloud computing policy. It can help ensure that the cloud services are being used appropriately and productively.

With so many different types of clouds (e.g., public, hybrid, private) and cloud services (e.g., data storage, email, backups), there isn’t a one-size-fits-all policy that companies can use. The requirements and expectations that need to go into this policy will depend on the types of clouds and cloud services being used, and a company’s IT and security practices.

Similarly, there is no single right way to present the material. The information just needs to be presented in a logical manner. One approach is to follow the organizational structure used in your acceptable use policy, adapting it where needed. When following this approach, you might want to include the following five sections in your cloud computing policy:

1. Overview Section

Some employees might not be familiar with cloud services, so you might want to begin your cloud computing policy with a section that gives an overview or background information on them. This section needs be easy to understand, even for technically challenged people. Keep it short and avoid using technical jargon.

The overview section is also a good place to state the purpose of the policy. If you are not sure of what to say, check out the purpose statements in these policies:

2. Scope Section

A cloud computing policy should include a section that notes its scope. In other words, this section should specify to whom the policy applies. Besides pertaining to employees, the policy might also apply to other groups, such as temporary workers or contractors if they use a cloud service to carry out their duties.

Some businesses also specify the types of clouds to which the policy applies. For example, they might state that the policy pertains to all types of external cloud services.

3. Policy Section

The cloud computing policy must have a section that lists the requirements and expectations associated with using cloud services. Here is a sampling of the types of requirements and expectations you might find in this section:

  • Processes that must be followed when evaluating and selecting cloud service providers
  • Legal requirements (e.g., cloud service usage must comply with all current laws and regulations, including data privacy regulations)
  • IT requirements (e.g., cloud service providers must comply with the company’s IT security and risk management policies as well as any other policies that might apply)
  • Practices that employees must follow (e.g., need to get prior authorization to open a new cloud service account specifically for business purposes)
  • Unacceptable practices (e.g., employees cannot share their cloud service passwords or use their personal cloud services for work)

4. Guidance Section

Some cloud computing policies include a section that provides guidance on how to meet the outlined requirements and expectations. For example, this section might discuss what kind of assessments must be done when evaluating and selecting a cloud service provider (e.g., conduct security and risk assessments of potential providers) and who is to perform them.

Similarly, the guidance section might discuss the process employees should follow to get a cloud service authorized for use. Companies sometimes even provide a list of pre-approved cloud services.

5. Policy Compliance Section

The compliance section is often the shortest one. That does not make it any less important, though. Besides describing how to handle policy exceptions, this section spells out the consequences associated with not complying with the cloud computing policy.

Data on Millions of Individuals and Businesses Scraped and Left Unprotected
Data on Millions of Individuals and Businesses Scraped and Left Unprotected

A data firm used web scraping to collect the data it needed to create in-depth profiles on millions of people and businesses. Discover what web scraping is and why it can both help and hurt your business.


The data firm LocalBlox is in the business of building and selling profiles of people and companies. The firm uses web scraping to collect data from various websites, combines it with other data (e.g., purchased marketing data), and then stitches the information together to create comprehensive profiles of businesses and individuals.

For example, an individual’s profile might include the person’s name, age, addresses (IP, physical, and email), phone number, job title, current employer, income level, and lifestyle information (e.g., pet owner). A company’s profile might include its name, addresses (IP, physical, and email), phone number, annual sales, year of establishment, industrial classification (NAICS), and number of Facebook Likes. LocalBlox sells these profiles to anyone interested in using them for targeted advertising, political campaigning, or other purposes.

The firm had stored the profiles — and the 48 million data records used to create them — in a storage container (aka bucket) in the Amazon Simple Storage Service (Amazon S3) public storage cloud. Even though this bucket was unlisted, a cyber risk team found it and discovered that it was not protected with a password. As a result, the team was able to access the data, which was in human-readable format. After the team notified LocalBlox about the issue, the firm secured the bucket.

Anyone could have downloaded the buckets’ contents when it was unsecured, just like the cyber risk team did. It is unknown whether or not any hackers took advantage of this situation. In either case, this incident highlights the importance of companies password-protecting any data they store in the cloud. It also calls attention to a common practice that businesses need to be aware of: web scraping.

Web Scraping 101

To collect publicly available content from websites, people use a process called web scraping. Typically, it involves using bots and other automated technologies to extract data from sites. Search engines use this process to return and rank search results.

Firms like LocalBlox also use web scraping to collect data for marketing, data mining, and other business uses. Based on the types of information found in the profiles, LocalBlox likely scraps data from businesses’ websites, social networks (e.g., LinkedIn, Facebook), and other types of sites.

Is It Legal?

Web scraping is usually done without the knowledge or consent of the people whose data is being collected. Although this might sound illegal, there are no laws against it in many parts of the world, including the European Union and the United States. However, any company scraping EU citizens’ data needs to comply with the General Data Protection Regulation (GDPR). The requirements include getting citizens’ consent to collect, process, and store their personal data. Plus, companies must provide an easy way for people to withdraw their consent. Since bots scrape large amounts of data automatically, meeting GDPR requirements might prove very difficult.

In the United States, there have been a few court cases dealing with using scraped information for data mining. In a notable 2017 case, a small firm, hiQ Labs, sued Microsoft when the software giant ordered the company to stop scraping the data publicly posted by LinkedIn users. The judge ruled that Microsoft must let hiQ Labs scrape this LinkedIn data — a decision that Microsoft is appealing.

Web Scraping Can Be Both Helpful and Harmful

Web scraping can be beneficial. It lets your business be included in search engine results. However, it has the potential to cause harm as well. Firms might use the data they collect for illegal or unethical purposes, such as stealing copyrighted data or undercutting prices. In addition, cybercriminals might also scrape websites to get information for use in cyberattacks. Thus, it pays to take a few precautions:

  • Be mindful about what you post on your business’s website and on social media sites (e.g., your company’s LinkedIn or Facebook page). Assume any information you provide on your website and on social media sites will be gathered, sold, and possibly used for illegal or unethical purposes.
  • Create a social media policy to help guide employees on what is acceptable when it comes to talking about your business on their personal social media pages. Asking employees to use common sense when posting online can go a long way in helping protect your company while preserving their legal rights.
  • Consider using technology to guard against malicious web scraping. Solutions are available that can analyze web traffic to identify malicious bots by looking at their IP addresses, their behaviors, and other indicators. We can help you determine whether such a solution is warranted for your business.
What You Need to Know about Progressive Web Apps
What You Need to Know about Progressive Web Apps

Progressive web apps (PWAs) give businesses a third option when it comes to interacting with mobile devices users. Discover what PWAs are and the advantages of using them.


If you haven’t heard much about progressive web apps (PWAs) yet, that’s about to change. Although Google introduced them back in 2015, these apps are only now being thrust into the limelight, thanks in part to Microsoft’s official support for them in the Windows 10 April 2018 Update. Here is a quick rundown of what PWAs are and the advantages they offer.

PWAs Explained

Until a few years ago, businesses that wanted to connect with mobile device users had two choices: offer a native mobile app or create a mobile website. Nowadays, there is another option: provide a PWA.

PWAs are basically mobile apps delivered through web browsers, according to mobile solution experts. They include advanced technologies, the most notable of which is the service worker. According to Google, a service worker is a script that web browsers run in the background, separate from a web page. This script is what makes many of the PWA’s unique features possible.

The Google Chrome web browser has supported service workers for quite some time. Microsoft Edge also now supports them, thanks to the Windows 10 April 2018 Update. And Apple quietly added service worker support in Safari in the March 2018 release of iOS 11.3.

The Benefits of Using PWAs

Because PWAs use service workers and other advanced technologies, they offer several advantages, including:

  • PWAs have app-like qualities even though they run in a browser. For example, PWAs run in a separate window like native mobile apps do.
  • They can run offline.
  • PWAs usually load much faster than native mobile apps or mobile websites.
  • The same PWA typically works on any browser that supports the PWA’s underlying technologies (e.g., service workers).
  • You do not need to download and install a program from an app store to use a PWA.
  • PWAs update themselves much in the same way a web page updates when it is refreshed. As a result, users do not have to update PWAs like native mobile apps. This makes PWAs easier to use and often more secure, as many mobile device users to do not regularly update their apps.

How Your Business Can Take Advantage of PWAs

Because of the benefits they offer, the popularity of PWAs is expected to increase rapidly. Companies such as Twitter, Forbes, and Google Maps already offer them. Even if you do not want to create a PWA to use to engage your customers, you might find them to be a useful tool in your own operations. For instance, you might use Twitter’s PWA, Twitter Lite, to post and respond to tweets about your business.

How to Troubleshoot Google Service Outages
How to Troubleshoot Google Service Outages

When a cloud service suddenly stops, people often wonder “Is the whole system down?” The G Suite Status Dashboard can answer this question when a Google service is interrupted. Here is where you can find this dashboard.


Just like in a power outage, when Gmail or another Google service suddenly stops working, your first thought is likely “Is it just me or is the whole system down?” Unlike a power outage, you cannot simply look out your window to see whether neighboring buildings are experiencing a Google service outage. You can, however, check the G Suite Status Dashboard. It provides the status of more than 20 free and paid Google services, including Gmail, Google Docs, and Google Drive.

To access the dashboard, you just need to go to https://www.google.com/appsstatus#hl=en&v=status in your favorite web browser. This URL is not easy to remember, so you might want to bookmark this page.

In the “Current Status” column of the dashboard, you will see the services listed. Next to each service is a visual indicator of its status. A green indicator means that the service is running without any issues. When the indicator is red (service outage) or orange (service disruption), there is problem on Google’s end. During a service disruption or outage, Google typically provides information about the issue and when it is expected to be resolved.

G Suite Status Dashboard also includes a history of the service disruptions and outages that occurred the past two months. This can come in handy if you are experiencing recurring problems. For instance, if you are regularly having problems staying connected to your Gmail account, you can check the history to see whether there were any service disruptions or outages on those days. If you find that there were not any issues on Google’s end, we can troubleshoot and fix the problem for you so that you can work without disruption.

5 Ways the Windows 10 April 2018 Update Can Help You Be More Productive
5 Ways the Windows 10 April 2018 Update Can Help You Be More Productive

Microsoft has released the first major 2018 update for Windows 10. Here are five features that can help you and your employees work more efficiently.


On April 30, Microsoft officially released the Windows 10 April 2018 Update (formerly known as the Spring Creators Update). It is the first of two major updates expected in 2018. Microsoft will start rolling it out through the automatic update feature in Windows Update on May 8. Microsoft also offers a way to manually initiate the download and installation process.

The Windows 10 April 2018 Update contains many new features and enhancements. Here are five features that can help you and your employees work more efficiently:

1. Focus Assist

If you have been using Windows 10 for a while, you likely have seen notifications popping up in the lower right corner of your screen. Besides being distracting, they block a portion of the screen, which might force you to stop working.

Once the Windows 10 April 2018 Update is installed, you will have much more control over these notifications. The update renames and significantly expands the functionality of the little known Quiet Hours feature. Now called Focus Assist, you can use this tool to block unwanted notifications and alerts so that you can work more productively.

You can choose what kinds of notifications you want to receive using three modes:

  • “Off” (get all notifications)
  • “Priority only” (only get notifications from the apps and contacts that you specified on your priority list)
  • “Alarms” (block all notifications, except alarms)

You also have the ability to set automatic rules. For example, you can schedule the “Priority only” mode to kick in from 1 pm to 5 pm each day.

2. Timeline

Instead of having to dig through folders to find a report you worked on last week, you can use the new Timeline feature to quickly find it. Timeline shows you what activities and apps you have used on your computer in the past 30 days and lets you resume working on them with a single click.

If you use a Microsoft account to log into multiple Windows 10 computers (e.g., laptop, desktop), Timeline will include your activities and apps across all those machines. You can even see what you were working on in Office 365 and Microsoft Edge on your smartphone or tablet and resume those activities on your Windows 10 computer by clicking them.

3. Nearby Sharing

With Window 10’s new Nearby Sharing feature, you and your employees can share files, contacts, and websites over a Bluetooth or Wi-Fi connection. To help make the process painless, Windows 10 automatically determines and selects the fastest way to share an item (Bluetooth or Wi-Fi).

You can also use Nearby Sharing to quickly transfer files between the computers you use, provided you use the same Microsoft account for those devices. For instance, you might send a file you created on your laptop computer to your desktop PC. If you want to use the Nearby Sharing feature for this purpose only, you can configure it to only share items with your devices.

4. Startup Apps Page

A new Startup Apps page in the Settings tool lets you easily specify which apps Windows 10 should automatically launch when you log in. This can be a time-saver if you run certain apps every day. For example, you might have your email app, web browser, and word processing software automatically open whenever you log in. Windows 10 is able to launch both Microsoft and third-party apps during startup.

5. Support for Progressive Web Apps

The April 2018 Update is adding support for progressive web apps (PWAs) in Microsoft Edge. Put in the simplest terms, PWAs are mobile apps delivered through web browsers, according to mobile solution experts. Examples of PWAs include Twitter Lite and Google Maps Go.

The advanced technologies integrated into these apps offer users some notable advantages. For example, PWAs typically load much faster than native mobile apps or mobile websites. Plus, PWAs update themselves, so you do not have to do it, which saves times.

How to Protect Your Business from Credential Stuffing Attacks
How to Protect Your Business from Credential Stuffing Attacks

Around 5 billion stolen credentials are available on the dark web, and cybercriminals like to use them in credential stuffing attacks. Learn how credential stuffing attacks work and what you can do to protect your company from them.

Around 5 billion stolen credentials are up for grabs, according to security researchers who monitor the dark web. These credentials, many of which come from data breaches, are exploited by numerous cybercriminals.

Cybercriminals know that many people reuse their passwords, so they use the stolen usernames and passwords in credential stuffing attacks. In this type of attack, hackers use botnets to test stolen credentials on various websites in hope that they find a match and gain access. This automated testing is done slowly using many different IP addresses to avoid setting off alerts (e.g., three unsuccessful login attempts) that could expose the attack.

Credential stuffing attacks are proving to be particularly problematic for companies. They are now the single largest source of account takeovers on web and mobile apps, according to one 2017 study.

There are several measures you can take to protect your business from credential stuffing attacks. For starters, let your employees know about the dangers of reusing passwords. Encourage them to create a unique password for not only their business accounts but also their personal ones. That way, if one of their personal account passwords is stolen in a data breach, hackers won’t be able to use it to access your company’s accounts.

Another way to protect your business is to set up two-step verification systems for your business’s web and mobile apps. With two-step verification, people need to provide an additional piece of information to log in, such as a one-time security code. Also encourage employees to use two-step verification for personal online accounts when possible. Many cloud service providers, retailers, and financial institutions now provide this functionality.

Finally, you might consider using a credential validation service (e.g., EyeOnPass). Each time someone tries to register, log in, or change their account password, the service checks the password against a database of known compromised credentials. If found in the database, the person is informed and required to change their password.

 

Wiggle a Window to Declutter Your Desktop
Wiggle a Window to Declutter Your Desktop

Having many applications and files open and stacked on top of each other can make it hard to work. Discover a fast way to get rid of the clutter.

If you have many applications and files open and stacked on top of each other when working on your computer, you are not alone. It is a common sight on computers in businesses worldwide. This clutter can make it hard to access the desktop or concentrate on the task at hand.

To declutter your desktop, you could take the time to minimize each window. However, if your computer is running Windows 7 or a later version, there is a much faster way. You just need to wiggle a window.

When you want to minimize all the windows on your desktop except for the one you are working on, all you need to do is:

    1. Click somewhere at the top of that window.
    1. Wiggle the window until all the other windows have minimized.

To maximize all your windows again, simply repeat these two steps.

If you do not like the wiggling technique, there is an alternate method you can use. On your keyboard, press the Windows logo key and the Home button at the same time. This keyboard shortcut works for both minimizing and maximizing all the inactive windows.

It is important to note that the wiggling technique and keyboard shortcut won’t minimize a few types of windows, such as Windows security warnings. This is by design since they are meant to be seen and read when they pop up. Plus, the wiggling technique and keyboard shortcut won’t work if you have an open dialog box in any window. For example, it won’t work if you have the “Font” dialog box open in a Microsoft Word file.

 

8 Policies to Protect Your Business’s IT Assets
8 Policies to Protect Your Business’s IT Assets

IT policies are important to have because they can help ensure that your company’s IT resources are being used appropriately and productively. Here are eight IT policies often found in companies.

Writing IT policies is not exactly fun, but it is important. They help ensure that a company’s IT resources are used appropriately and productively. Besides documenting requirements and expectations, IT policies often discuss the consequences of policy violations.

There are many different types of IT policies. For example, some IT policies document what must be done to safeguard business data. Other policies outline the actions needed to protect a company’s IT equipment and services. There are even policies that cover whether employees can use their personal devices for work.

Putting all the IT policies into one document would be enough to scare off even the most enthusiastic business leader from writing it and the most diligent employee from reading it. A better approach is to write a separate policy for each area important to a business. Here are eight IT policies commonly found in companies:

 

1. Acceptable Use Policy

The acceptable use policy covers what is expected of employees when they are using a company’s IT equipment (e.g., computers, printers) and services (e.g., email, Internet access). For example, when traveling for business, employees might be expected to use a company-provided laptop and virtual private network (VPN) to access files on the main network. Equally important, this policy also covers what is unacceptable. For instance, this type of policy typically states that employees must not engage in any illegal or inappropriate activities using the company’s IT equipment and services.

By its very nature, the acceptable use policy covers many IT assets. For this reason, companies sometimes create separate policies for certain resources. For example, rather than include an “email services” section in the acceptable use policy, they create a separate email policy.

 

2. Password Policy

Cybercriminals often count on being able to crack passwords when they attack businesses. One 2017 study found that more than 80% of hacking-related data breaches involved weak, default, or stolen passwords. Thus, it is important to have a password policy. This type of policy usually covers guidelines for creating strong passwords, how often passwords should be changed, and other password requirements (e.g., do not reuse or share).

 

3. Privacy Policy

Companies typically collect and store a lot of personal information about customers, employees, and other people with whom they interact. Examples of personal data include names, credit card numbers, driver license numbers, birthdates, home phone numbers, and personal email addresses.

Companies document how they are collecting, storing, using, and disposing personal data in privacy policies. Some businesses create both an employee-facing privacy policy and a customer-facing privacy policy (e.g., privacy policy to post on a website). In the latter case, businesses might disclose if customers’ data is being shared with or sold to third parties.

When writing privacy policies, it is important to comply with any laws and regulations governing them. For example, if businesses collect personal information from California residents on their websites, California state law requires the companies to conspicuously post a privacy policy that includes specific information, such as the types of personal information being collected.

 

4. Data Governance Policy

Data is a crucial element in most businesses’ operations. The data governance policy describes the measures that must be taken to manage the data when it enters, goes through, and exits a company’s systems. Specifically, the policy documents how a company is making sure that its data is:

    • Accurate, complete, and consistent across data sources (i.e., data integrity)
    • Easy to gather, access, and use
    • Secured at all times

The data governance policy also identifies the people responsible for maintaining the security and integrity of the data. Plus, if applicable, it might mention any third parties that play a role in the company’s data management processes.

 

5. Disaster Recovery Policy

Most companies have disaster recovery plans that discuss the processes and procedures to be used to recover IT systems, applications, and data if a disaster occurs. Having a disaster recovery plan is crucial, but it is also important to have a disaster recovery policy.

A disaster recovery policy requires that the disaster recovery plan be tested and periodically updated. This policy helps the disaster recovery plan go from being words on paper to processes and procedures that will be ready for implementation if catastrophe strikes.

The disaster recovery policy identifies who is responsible for developing, testing, and updating the company’s disaster recovery plan. In addition, it often discusses, in broad terms, recovery requirements, such as allowable downtime and how to ensure business continuity in the event of downtime.

 

6. Cloud Policy

Cloud policies specify the person or group responsible for evaluating and selecting cloud service providers. They also usually include what must be done during that process, such as conducting security and risk assessments of potential providers.

In addition, cloud policies often explicitly state that:

    • Employees are not allowed to use their personal cloud services for work. For example, they cannot store business data in a personal Dropbox or Google Drive account
    • Employees cannot open a new cloud service account specifically for business purposes without prior authorization. In this case, policies sometimes document how employees can get approval or they list pre-approved cloud services.

Cloud policies can also cover other areas such as compliance requirements (e.g., how the cloud service provider must comply with the company’s privacy policy) and exit strategies.

 

7. BYOD Policy

Employees are increasingly using their personal smartphones and other mobile devices for work. This is prompting many companies to develop Bring Your Own Device (BYOD) policies to govern the use of employee-owned devices in the workplace. These policies often discuss:

    • What (if any) personal mobile devices can be used for work
    • What can and cannot be done with those devices (e.g., allowed to access emails but not download files)
    • How employees are supposed to connect to the company network (e.g., through a VPN)
    • The degree to which the IT staff will support the employee-owned devices

 

8. Social Media Policy

People post many details about their professional and personal lives on social media networks. Companies use social media policies to document their expectations regarding the nature and tone of the information being posted. These policies also define how a company will manage and monitor the online behavior of employees.

Social media policies need to strike a balance between a company’s needs and the legal rights of its employees, given the country in which the business operates.