An acceptable use policy (AUP) defines how employees can and cannot use company technology, including computers, email, internet access, and software. It sounds like a formality, but having a written policy protects your business legally, supports your cyber insurance, and sets clear expectations so employees know the rules before they break them. This guide walks you through what to include, how to write it in plain language, and how to make sure it actually gets followed.
Why You Need One
The most common reason small businesses finally write an AUP is because a cyber insurance application asks for one. Underwriters want to see that you have documented IT policies. Not having one can mean higher premiums or, worse, a denied claim after an incident because you couldn't demonstrate that employees were trained on acceptable use.
Beyond insurance, a written policy gives you a basis for addressing misuse of company technology. Without one, it's difficult to take action when someone installs unauthorized software, stores client data on a personal Dropbox account, or clicks a phishing link they should have recognized. You can't enforce rules that don't exist in writing.
Compliance frameworks like HIPAA, PCI, and the CIS Controls all require documented acceptable use policies. Even if your industry isn't formally regulated, following these frameworks strengthens your security posture and demonstrates due diligence.
A clear policy also prevents misunderstandings. When everyone knows the expectations, there are fewer awkward conversations and fewer gray areas. New hires read it during onboarding, sign an acknowledgment, and start day one with a clear understanding of what's expected.
What to Include
Scope
Start by defining who the policy applies to and what it covers. The policy should apply to all employees, contractors, interns, and anyone else who uses company technology. It should cover company-owned computers, phones, email accounts, internet access, software, cloud accounts, and network resources.
If your business allows employees to use personal devices for work (a BYOD arrangement), the policy should explicitly address that. State what rules apply to personal devices when they're used to access company email, files, or applications. For example, personal devices used for work should have a screen lock enabled, be running a current operating system, and not store company data locally.
Acceptable Use
State clearly that company technology is provided for business purposes. Reasonable personal use is fine, such as checking personal email during a break or browsing the web at lunch, as long as it does not interfere with work, violate any other part of the policy, or create security risks.
Employees are responsible for the security of their accounts and devices. That means locking their computer when they step away (Windows key + L is the fastest way), not leaving their laptop unattended in a coffee shop, and reporting anything suspicious to IT immediately.
Software should only be installed with IT approval. This prevents malware infections from sketchy downloads and avoids software licensing violations that could expose your business to legal liability. If your business manages devices through Microsoft Intune, you can enforce this technically by restricting which applications users can install, but the policy should state the rule in writing regardless.
Prohibited Use
Be specific about what's not allowed. Employees should not use company systems for illegal activity, access or distribute inappropriate or discriminatory content, install unauthorized software or browser extensions, or share passwords with anyone, including coworkers.
Connecting unauthorized personal devices to the business network is prohibited. This includes personal laptops, USB drives, and IoT devices. Each unauthorized device is a potential entry point for malware or data exfiltration.
Storing company data on personal cloud accounts (personal Google Drive, Dropbox, iCloud) is not allowed. Company data belongs on company-approved systems like OneDrive, SharePoint, or your line-of-business applications. This isn't about being controlling; it's about knowing where your data lives so you can protect it and recover it if something goes wrong.
Employees should not circumvent security controls. That means no disabling antivirus, no using unauthorized VPN services, and no attempting to bypass Conditional Access policies or web filtering. These controls exist to protect the entire organization, and one person bypassing them creates risk for everyone.
Using company email for personal business ventures or side projects is prohibited.
Email and Communication
Business email is for business communication. State this plainly and then address the practical details.
Employees should not open suspicious attachments or click links in emails they weren't expecting. Security awareness training, which tools like Huntress include alongside their managed EDR platform, teaches employees to recognize phishing attempts, but the policy should still state the expectation clearly.
Confidential information should not be sent via personal email accounts. If a client sends sensitive information, it stays in the company email system. Company email may be monitored for security purposes. State this directly so there are no surprises. Email signatures should follow the company standard template.
Internet Use
Internet access is provided for business purposes, and reasonable personal use is acceptable. Keep this section practical rather than heavy-handed.
Employees should not access illegal, inappropriate, or high-risk websites on company devices. They should not download files from untrusted sources. Streaming services like Netflix or Spotify are fine during breaks, but they should not be used in a way that degrades network performance for others, particularly during business hours when video calls and cloud applications need bandwidth.
Data and Confidentiality
Company data must be stored on company-approved systems. For most businesses using Microsoft 365, that means OneDrive for personal work files and SharePoint for shared team files. Be specific about where data should and should not live.
Employees should not transfer company data to personal devices or accounts. Confidential client information must be handled according to applicable regulations. If your business handles protected health information, financial data, or legal records, reference the specific requirements here or point to a separate data handling policy.
Require employees to report any suspected data breach or loss immediately. The faster you know about a potential incident, the faster you can contain it.
Security Responsibilities
This section covers the day-to-day security habits you expect from every employee.
Lock your computer when stepping away from your desk. Use the company password manager, such as 1Password, for all business accounts. Never reuse passwords across accounts, and never store passwords in a browser, a spreadsheet, or a sticky note. 1Password generates strong, unique passwords for every account and stores them securely, so employees don't need to memorize anything.
Enable multi-factor authentication on all accounts that support it. Report suspicious emails, messages, or activity to IT immediately. Do not share credentials with anyone for any reason, including coworkers and managers. Complete security awareness training as assigned.
Consequences of Policy Violation
State clearly that violations may result in disciplinary action, up to and including termination. Severe violations, such as data theft or illegal activity, may result in legal action. The company reserves the right to monitor and audit the use of company technology.
Keep this section straightforward and factual. The goal is not to threaten employees but to make clear that the policy has teeth and that compliance is not optional.
Keeping the Policy Effective
A 20-page policy that nobody reads is worse than useless. It creates a false sense of security while providing no actual protection. Keep your AUP to 2 to 4 pages maximum.
Write in plain language, not legalese. If an employee needs a lawyer to understand the policy, it's too complicated. Use short sentences, clear prohibitions, and concrete examples.
Have every employee sign an acknowledgment during onboarding. Store the signed acknowledgments in your HR files. This is the proof that the employee read and understood the policy, and it's the documentation your cyber insurer will want to see if you ever file a claim.
Review and update the policy annually, or whenever major changes occur. New remote work arrangements, new compliance requirements, a shift from in-office to hybrid work, these all warrant a policy update. When you update it, have employees re-sign the acknowledgment.
Make the policy accessible. Store it somewhere employees can find it without asking, such as a SharePoint site or the company handbook. If people can't find the policy, they can't follow it.
Need Help?
Writing an acceptable use policy doesn't have to be complicated, but it does need to be done right. If you want help drafting or reviewing your AUP, contact Athencia. We help small businesses put practical IT policies in place.
