IT Policies Every Small Business Should Have (Written Down)

Why written IT policies matter

Most small businesses operate on informal norms: everyone knows they’re supposed to use strong passwords, not share login credentials, and not install random software — but none of it is written down. Informal norms fail when there’s ambiguity, when a new employee joins who doesn’t know the norms, or when something goes wrong and you need to demonstrate reasonable security practices.

Written policies are also required by cyber insurance applications and by some client contracts in regulated industries.

The three policies most small businesses need

Acceptable Use Policy (AUP): Defines what employees can and can’t do with company-provided technology and on the company network. Cover: personal use of company devices (allowed within reason, or not allowed?), prohibited activities (downloading unauthorized software, accessing inappropriate content, using company devices for personal business), data handling basics (don’t store company files on personal cloud accounts), and consequences for violations.

Keep it one page. A 20-page AUP that nobody reads is worse than a clear one-pager that employees actually understand.

Password and Access Policy: Defines requirements for passwords and account management. Include: minimum password requirements (length, complexity), prohibition on password sharing, requirement to use the company password manager, process for requesting new application access, and what to do if a password is compromised.

Data Handling and Classification Policy: Defines what types of data your business handles and how each type must be stored and shared. At minimum, distinguish between public information (fine to share), internal information (share internally, not externally), and confidential information (customer data, financial records, personnel files — restrict access and transmission).

Making policies stick

A policy nobody has read doesn’t protect you. Three practices that help:

1. Have every employee sign an acknowledgment when hired and when policies are updated.
2. Cover the key policies in new employee onboarding — 15 minutes, not a lecture.
3. Reference the relevant policy when correcting behavior, rather than treating it as a personal issue.