itmystery.com

Tag: data security

  • Acceptable Use Policy: Simple Steps Employees Will Follow

    Acceptable Use Policy: Simple Steps Employees Will Follow

    Key Takeaway: A simple acceptable use policy (AUP) sets clear, common-sense rules for using company technology. It protects your data, prevents legal issues, and ensures employees understand their responsibilities for email, internet use, and company devices. A great AUP is a one-page document written in plain English, not a legal tome.

    Why Does My Small Business Need an AUP?

    Many small business owners trust their employees and feel a formal policy is unnecessary. The real issue isn’t trust; it’s clarity. An Acceptable Use Policy (AUP) prevents honest mistakes and misunderstandings that can cost your business dearly.

    Without clear rules, an employee might accidentally click a phishing link, install unapproved software that contains malware, or use the company network for an activity that creates a legal liability. The goal of an AUP is not to police your team. It is to provide a simple set of guidelines that protects everyone—the employees, the business, and your customers.

    An AUP serves three critical functions. First, it protects sensitive data, like customer lists and financial records, by establishing basic security habits. Second, it reduces legal risk from things like copyright infringement or online harassment. Finally, it sets consistent, fair expectations for every person in the organization, which prevents confusion and arguments down the road.

    What This Guide Covers

    This guide provides a complete roadmap for creating and implementing a simple acceptable use policy that works for a small organization. You will learn how to define the core rules that protect your business without creating unnecessary restrictions for your staff. We will show you how to communicate the policy effectively so that every employee understands and remembers it. This guide also provides a clear framework for what to do when a policy is violated, ensuring fairness and consistency. Finally, you will get access to a straightforward template you can adapt for your own organization in under an hour.

    What Exactly Is an Acceptable Use Policy (AUP)?

    An Acceptable Use Policy, or AUP, is a document that outlines the rules for using an organization’s technology and information resources. Think of it as the “house rules” for your digital workplace. It tells employees what they can and cannot do with company equipment and services.

    These resources include more than just the computer on their desk. An AUP covers the entire technology ecosystem you provide, including:

    • Company-owned computers (desktops and laptops)
    • The office network (wired and Wi-Fi)
    • The internet connection you pay for
    • Company email accounts (e.g., [email protected])
    • Cloud services like Microsoft 365, Google Workspace, or Dropbox
    • Company-provided mobile phones or tablets
    • Business software and applications

    An AUP is not a highly technical security manual. It focuses on user behavior rather than technical configurations. Its purpose is to guide employee actions to prevent security incidents and legal problems.

    The best analogy for an AUP is the list of rules posted at a public swimming pool. The sign doesn’t teach you how to swim, but it gives you clear, simple rules like “No Running” and “No Diving in the Shallow End.” These rules aren’t there to ruin the fun; they exist to keep everyone safe and prevent accidents. A good AUP does the same for your business technology.

    How Can I Make My AUP Simple & Practical?

    The biggest mistake organizations make with an AUP is creating a 20-page legal document filled with jargon that no one ever reads. An unread policy is a useless policy. To be effective, your AUP must be simple, practical, and easy to understand.

    Keep It to One Page.
    The single most important step is to limit the document’s length. If you can’t fit the essential rules on one side of a single sheet of paper, it’s too complicated. This constraint forces you to focus only on what truly matters.

    Use Plain English.
    Avoid legal terminology and technical acronyms. Write for a smart person who is not an IT expert. Instead of “Users shall not execute unsolicited binary attachments,” write “Do not open or run attachments in emails from people you don’t know.” The meaning is identical, but the second version is understandable to everyone.

    Explain the “Why.”
    People are more likely to follow a rule if they understand the reason behind it. A brief explanation turns a command into a shared goal. For example, add a “why” to your password rule: “Do not share your password with anyone, because this protects your work and the company’s data from unauthorized access.”

    Focus on Core Risks, Not Every Possibility.
    Don’t try to write a rule for every conceivable bad thing that could happen. Concentrate on the top 5-6 risks that affect nearly every small business: weak passwords, phishing emails, malware from unauthorized software, data loss from stolen devices, and inappropriate web use.

    Frame It as a Shared Responsibility.
    An AUP shouldn’t feel like a list of punishments. Frame it as a collective effort to protect the company, its data, and ultimately, everyone’s jobs. Use language like “To protect our organization and our clients…” to create a sense of shared purpose.

    Before You Start

    • List Your Tech Resources: Make a quick list of all the technology your employees use. Include email systems (like Google Workspace or Microsoft 365), cloud storage (like Dropbox or OneDrive), specific business software, and any company-provided devices.
    • Identify Your Most Sensitive Data: What information would be most damaging if it were leaked or lost? This could be customer financial data, employee personnel files, or your proprietary business plans.
    • Decide Who’s in Charge: Designate one person (it could be you) as the point of contact for questions about the AUP and for reporting security incidents.
    • Check Your Current Security Basics: Confirm that all company computers have updated antivirus software and that your office network is protected by a firewall. An AUP works best when it’s supported by basic technical controls.
    • Review Your Employee Handbook: If you have an employee handbook, read through it to make sure your new AUP won’t contradict any existing policies on conduct or discipline.
    • Consider Personal Device Use: Decide on your company’s stance on employees using their personal phones or laptops for work. This is often called a Bring Your Own Device (BYOD) policy, and your AUP needs to address it.

    What Key Rules Should My AUP Cover?

    A simple, effective AUP is built around a few key categories of behavior. Your policy should include clear and concise rules in each of these areas. Below are the essential components to include, which you can adapt for your organization.

    Data Security and Passwords

    This section is about the fundamental habits that protect company information. It’s the digital equivalent of locking the office door at night.

    1. Never share your password. Each employee is responsible for all actions taken under their account, so passwords must be kept confidential.
    2. Use a strong password. Your password should be long (at least 12 characters) and a mix of letters, numbers, and symbols, or you can use a password manager to generate and store them securely.
    3. Lock your computer when you are away. Press Windows Key + L (on Windows) or Control-Command-Q (on Mac) to lock your screen anytime you leave your desk. This prevents anyone from accessing your account while you’re gone.
    4. Report lost or stolen devices immediately. If a company laptop or phone is lost or stolen, report it to your designated contact right away so it can be remotely secured or wiped to protect company data.

    Internet and Web Usage

    The company provides internet access for business purposes. This section clarifies the boundaries for its use.

    1. Illegal activity is prohibited. Do not use the company network or computers for any illegal purpose, including downloading copyrighted material without a license (software piracy, illegal movie downloads).
    2. Inappropriate content is forbidden. Accessing, downloading, or distributing pornographic, hateful, or otherwise offensive material is strictly prohibited on company resources.
    3. Personal use should be reasonable and limited. We understand you may need to check personal email or a news site on a break. This is acceptable, but it should not interfere with your work, consume significant network bandwidth (like streaming movies), or violate any other policy.

    Email and Communication

    Email is a primary tool for business and a primary target for attackers. These rules help keep communication professional and secure.

    1. Be professional and respectful. Do not use company email or messaging systems to harass, threaten, or discriminate against anyone. All communication should reflect positively on our organization.
    2. Beware of phishing attacks. Be cautious of unexpected emails, especially those asking for passwords, financial information, or urging you to click a suspicious link or open an attachment. When in doubt, ask your designated IT contact before clicking.
    3. Company email is not private. Understand that email sent and received on the company system is company property. The organization reserves the right to monitor email to ensure policy compliance and for security purposes.

    Software and Devices

    Controlling what software and hardware connect to your network is one of the most effective ways to prevent malware and data breaches.

    1. Do not install unapproved software. You must get approval from the designated contact before installing any new software on a company computer. Unauthorized software can introduce security vulnerabilities or licensing issues.
    2. Do not connect untrusted hardware. Do not connect personal USB drives, external hard drives, or other devices to your work computer unless they have been approved and scanned for malware.
    3. Follow the rules for personal devices (BYOD). If you use your personal smartphone or laptop for work, you must ensure it is password-protected and has up-to-date security software. The company may require you to install security applications to protect company data on your device.

    How Do I Get Employees to Actually Follow It?

    Creating the document is only the first step. A policy that sits in a forgotten folder has no value. Implementation and communication are what make an AUP effective.

    1. Schedule a Training Session.
    Do not just email the policy and expect people to read it. Schedule a mandatory 20-minute meeting with your entire team. Walk through the one-page document section by section. This is your chance to explain the “why” behind the rules and answer questions directly. A face-to-face (or video call) discussion shows that you take the policy seriously.

    2. Require a Signed Acknowledgement.
    After the training, require every employee—from the owner to the newest hire—to sign a simple form stating they have read, understood, and agree to abide by the Acceptable Use Policy. Keep this signed document in each employee’s personnel file. This step is crucial for accountability and enforcement.

    3. Lead by Example.
    The rules must apply to everyone equally. If management ignores the policy, so will everyone else. When leaders lock their computers when they leave their desks and use strong passwords, it reinforces that these behaviors are part of the company culture.

    4. Provide Gentle, Consistent Reminders.
    Keep the policy top-of-mind without being overbearing. Once a quarter, you might share a quick security tip in a team meeting that relates back to the AUP. For example, you could mention a recent news story about a phishing attack and remind everyone of your policy to be cautious with email links.

    What Happens When an AUP Rule Is Broken?

    Your AUP should include a short statement that violations will result in disciplinary action, up to and including termination of employment. Having a clear, fair, and consistent process for handling violations is essential.

    When an incident occurs, your response should not be a surprise. In my experience, a simple three-step process works best for small organizations:

    1. Investigate the Incident. First, gather the facts. What rule was broken? Was it intentional or an accident? What was the impact on the business? This should be done discreetly by the owner or a designated manager.
    2. Discuss with the Employee. Meet with the employee in private. Present what you found and give them an opportunity to explain their side of the story. Often, a violation is the result of a misunderstanding, which presents a valuable training opportunity.
    3. Apply a Consequence. The consequence should match the severity and intent of the violation. An accidental, first-time mistake might warrant a verbal warning and a review of the policy. A deliberate and serious violation, like installing pirated software or harassing a coworker via email, may justify a formal written warning or immediate termination.

    The most important part of enforcement is consistency. If you enforce a rule for one employee, you must enforce it for all employees in similar situations. This fairness builds trust and reinforces the importance of the policy.

    Where Can I Find a Simple AUP Template?

    You don’t need to start from scratch. You can use the key rules outlined in this guide as the foundation for your policy. A great AUP is not a template you copy-paste, but a document you build using proven components and tailored to your specific business.

    Here is a basic structure to follow. Simply copy this into a word processor and fill in the details based on the sections we’ve discussed.


    [Your Company Name] Acceptable Use Policy (AUP)

    1. Introduction
    This policy outlines the rules for using [Your Company Name]’s technology resources. Its purpose is to protect our employees, clients, and our company. These resources include computers, internet, email, software, and company data.

    2. Data Security and Passwords
    – Keep your password confidential and do not share it.
    – Lock your computer when you are away from your desk.
    – Report lost or stolen company devices immediately.

    3. Internet and Web Usage
    – Do not use company resources for any illegal activity.
    – Accessing inappropriate or offensive content is prohibited.
    – Limited personal use is permitted if it does not interfere with work.

    4. Email and Communication
    – Always be professional and respectful in your communications.
    – Be cautious of phishing emails and suspicious links/attachments.
    – Understand that company email is not private and may be monitored.

    5. Software and Devices
    – Do not install any software without prior approval.
    – Do not connect personal USB drives or other unapproved hardware.

    6. Policy Violation
    Violation of this policy may result in disciplinary action, up to and including termination of employment.

    7. Acknowledgement
    I have read, understood, and agree to abide by this Acceptable Use Policy.
    _________________________
    Employee Signature & Date


    Our Recommendation

    For most small businesses and non-profits, the best approach is a one-page AUP written in plain English. Focus on the five most critical risk areas: password security, safe email habits, responsible internet use, no unauthorized software, and the immediate reporting of lost devices. Hold a brief meeting to explain it, have every single person sign an acknowledgement form, and you will have addressed over 90% of the human-related security risk without needing a complex, expensive legal document. Users also need to understand that they should have no expectation of privacy when using company email, wifi, or any other company resources. Your AUP should say this explicitly, since putting it in writing is what makes it stick.

    Frequently Asked Questions

    What is an acceptable use policy (AUP)?

    An AUP is a document that sets the rules for how employees can use a company’s technology resources. It covers things like internet usage, email etiquette, password security, and the use of company devices to protect the business from security threats and legal risks.

    Why is an AUP important for a small business?

    It’s important because it provides clarity and sets clear expectations for everyone. An AUP helps prevent security breaches caused by employee error, protects the company from legal liability, and ensures a consistent, fair standard for technology use across the organization.

    Does an AUP need to be a complex legal document?

    No, absolutely not. In fact, a simple, one-page document written in plain English is far more effective than a long legal document that no one reads. The goal is clear communication and understanding, not legal complexity.

    How often should I review and update my AUP?

    You should review your AUP once a year to ensure it’s still relevant. You should also update it whenever your business adopts a significant new technology, such as a new cloud service or a policy allowing personal devices for work.

    Can a simple AUP really protect my business from IT risks?

    Yes. Many of the most damaging IT incidents, like ransomware attacks from phishing emails or data breaches from stolen laptops, begin with a simple human error. A clear, simple AUP that people actually follow is one of the most effective and low-cost ways to reduce these common risks.

    An Acceptable Use Policy isn’t about restricting your team; it’s about creating a safe and productive digital environment for everyone. By keeping your policy simple, clear, and practical, you create a powerful tool that protects your business and that your employees will respect and follow.

  • I Think We Got Phished: What to Do in the Next 24 Hours

    I Think We Got Phished: What to Do in the Next 24 Hours

    Key takeaway: If credentials were entered on a phishing page, change the password and revoke all active sessions immediately — then check for forwarding rules. Speed matters more than thoroughness in the first hour.

    Someone clicked a link they shouldn’t have. Or an email came through that looked like your bank, your IT vendor, or the CEO — and someone replied. Now you’re not sure what happened or how bad it is.

    Here’s what to do, in order. The first hour matters most.


    Step 1: Don’t panic, but don’t wait either

    Phishing attacks range from “someone entered their email password on a fake login page” to “ransomware is encrypting your file server.” You don’t know which one you have until you look. The worst thing you can do is either catastrophize or ignore it.

    Get the person who received the email to walk you through exactly what happened: What did the email say? Did they click a link? Did they enter any credentials? Did they download anything? Did they open an attachment?

    Write down the answers. You’ll need them.


    Step 2: If credentials were entered, change passwords immediately

    This is the most common phishing outcome for small businesses: someone typed their Microsoft 365, Google, or banking password into a fake login page.

    Do this first:

    1. Change the password for the account they entered credentials for — right now, before reading the rest of this
    2. If it’s a Microsoft 365 or Google Workspace account, sign out all active sessions (Microsoft: admin.microsoft.com → Users → select user → Sign out of all sessions; Google: Admin Console → Users → select user → Reset sign-in cookies)
    3. Enable multi-factor authentication on that account if it isn’t already on

    If the same password was used anywhere else — and it probably was — change it on every site that uses it. This is also a good time to talk to your team about a business password manager.


    Step 3: Check for mail rules and forwarding

    Attackers who successfully access an email account often set up a forwarding rule immediately so they keep receiving mail even after the password is changed. This is easy to miss and expensive to ignore.

    In Microsoft 365: Go to admin.microsoft.com → Exchange admin center → Recipients → Mailboxes → select the affected user → Manage email apps, then check Mailbox → Mail flow settings → Email forwarding. Also look in the user’s own Outlook settings under Settings → Mail → Forwarding.

    In Gmail/Google Workspace: Settings → See all settings → Forwarding and POP/IMAP. Check forwarding addresses. Also check Filters and Blocked Addresses for any rules that redirect or delete messages from specific senders (attackers sometimes delete security alerts to hide activity).

    Delete anything that shouldn’t be there.


    Step 4: Check what the account accessed

    If you have Microsoft 365 Business Premium or an equivalent plan with audit logging, you can see what the account did after the credentials were compromised.

    Microsoft 365: compliance.microsoft.com → Audit → New search → filter by the affected user and the relevant date range. Look for unusual sign-ins, large email exports, SharePoint access, or file downloads.

    If you’re on a basic Microsoft 365 plan without audit logging enabled, you won’t have this history — which is a gap worth addressing before the next incident.

    For unusual sign-in locations or times: Microsoft 365 admin center → Users → the affected user → Sign-in activity.


    Step 5: If a file was downloaded or an attachment was opened

    This is a different situation from a credential phish. If someone opened an attachment or ran a downloaded file, you may be dealing with malware rather than (or in addition to) a stolen password.

    Isolate the machine. Disconnect it from your network — unplug the network cable, turn off Wi-Fi — before doing anything else. If ransomware is running, keeping the machine on the network lets it spread to your file server and other computers.

    Do not turn off the machine. Some evidence and some encryption processes are halted by a running OS that gets shut down. Leave it on but disconnected until you decide your next step.

    Call your IT person or a managed security provider. Malware incidents on a business network are outside the scope of DIY recovery for most small offices. The cost of a professional forensic review is almost always less than the cost of missing a persistent threat.


    Step 6: Notify anyone who may have been targeted next

    Phishing attackers who successfully access an email account often use it to send phishing emails to your contacts — because mail from a known address gets past spam filters and gets clicked.

    Check Sent Items for the date of the incident and several days after. If you see emails you didn’t send, notify the recipients that those messages were fraudulent and should be deleted without clicking any links.


    Step 7: Document and debrief

    Write down what happened, what you found, and what you changed. You’ll want this if you have cyber insurance (most policies require prompt reporting), if a client asks what happened, or if the same attack pattern comes back.

    The debrief is also where you decide what to change going forward. The most common gaps that make phishing attempts successful:

    • No MFA on email accounts. A stolen password alone isn’t enough to access an account if MFA is on. This is the single highest-value control for small businesses.
    • Shared passwords across accounts. One compromised credential becomes many.
    • No spam/phishing filter. Microsoft Defender for Business (included in Microsoft 365 Business Premium) and Google Workspace’s built-in filtering both catch a significant percentage of phishing attempts before they reach inboxes.

    None of these require enterprise budgets. MFA is free on every major email platform. A business password manager costs less than one hour of recovery time.


    What this doesn’t cover

    If you’re dealing with ransomware, a business email compromise fraud (someone impersonated your CEO and your accounts payable wired money), or a breach that may affect customer data, you need professional help and possibly legal counsel. This guide covers the most common small-business phishing scenario: credential theft via a fake login page.

    Frequently Asked Questions

    Should we call our IT person right away?

    If a file was opened or an attachment was run, yes — immediately. For a credential phish with no file execution, you can work through the steps above while looping them in.

    Do we need to notify customers?

    Only if their data was accessible through the compromised account. Review what the account had access to before deciding — don’t notify preemptively if the scope is unclear.

    How long do we have before the damage is done?

    Attackers who compromise an email account typically set up forwarding rules and export contacts within minutes. The first 30 minutes matter most — prioritize password change and session revocation above everything else.

  • QuickBooks Backup Verification: Ensure Data Safety

    QuickBooks Backup Verification: Ensure Data Safety

    Introduction

    Key Takeaway: Verifying your QuickBooks backup takes under 5 minutes and is the only way to confirm your financial data will be recoverable after a disaster. Do it now, before you need it.

    Backups are crucial in any business, especially when it comes to financial data. QuickBooks users must be vigilant in verifying their backup settings and processes to prevent data loss. This guide will provide step-by-step instructions on how to check QuickBooks backups and ensure your data is secure.

    Understanding QuickBooks Backups

    Before diving into verification, it’s essential to understand how QuickBooks backups work. QuickBooks automatically creates backup files at regular intervals. These files are typically stored in a designated folder on your computer or network.

    Methods to Verify QuickBooks Backups

    1. Manual Verification:
      • Access the backup folder: Locate the folder where your QuickBooks backup files are stored.
      • Check file dates: Ensure the backup files are created at the expected times.
      • Test a backup: Restore a backup file to verify its integrity.
    2. Review QuickBooks Logs:
      • Access the logs: Find the backup logs within QuickBooks.
      • Check for errors: Look for any error messages or warnings.
    3. Utilize Intuit Data Protect (IDP):
      • Check IDP settings: Verify that IDP is configured correctly.
      • Review backup history: Check the backup history for any issues.

    Best Practices for QuickBooks Backups

    • Regular backups: Schedule regular backups to minimize data loss risk.
    • Multiple backups: Store backups both locally and in the cloud.
    • Test backups: Regularly restore backups to ensure they are functional.
    • Password protection: Protect backup files with strong passwords.

    Conclusion

    Verifying QuickBooks backups is essential for protecting your business’s financial data. By following the methods outlined in this guide, you can ensure that your backups are working correctly and your data is safe.

    External Resources:

    Frequently Asked Questions

    How often should I verify my QuickBooks backup?

    At minimum, verify after every major data entry session — or at least weekly. If QuickBooks handles daily transactions, run a verification daily.

    Where does QuickBooks save backup files by default?

    QuickBooks saves backups to C:\Users\Public\Documents\Intuit\QuickBooks\Backup by default. You can redirect this to a network drive or external drive in Backup Company settings.

    What is the difference between a local backup and QuickBooks Online Backup?

    A local backup writes to a drive on your network or computer. QuickBooks Online Backup (now Intuit Data Protect) sends an encrypted copy to Intuit’s servers. Best practice is both — following the 3-2-1 backup rule.