IT Policies for Small Business


Many small businesses do not have any IT policies in place. A good way to go about getting organized is to prepare a binder of information relating to your use of technology and other information.

Accounts and Passwords

It is imperative that you keep track of all of your usernames and passwords.

You should also keep track of who has access to what passwords. Keep a list of passwords that are given to employees.

In the event that an employee is terminated, especially under bad terms, you need to be able to change the passwords they had access to so they can not go in and mess things up.

Upon terminating an employee their access to various services should be immediately revoked.


Maintaing good backups of your files and data is essential. You should keep a log of when backups are made, what media they are stored to and where they are kept.

Most people are good about backing up their accounting data. After they do their bookkeeping for the week they are trained by their accountants to make a backup immediately. Other important files are often neglected.

Off-site backups are perhaps the most important. If a fire, flood or some other natural disaster affects your business you need to have a copy of your data off-site. If your office burns down and your backups are sitting in a drawer, you are out of luck.

One out of date, off-site backup is better than none. So, consider buying an extra hard drive or two for storage away from your business.

If you do not have sufficient and off-site backups, a disaster can leave your business shut down.

Use of Company-Owned Email Address

If an employee is using email to communicate with your clients they should be using an email address at your domain name. They should not be using their personal email account.

In the event an employee is terminated you should have the option to redirect the email being sent to their company address to either yourself or whoever else you designate in the company.

An employee will always be able to try to steal your customers or solicit them after they leave your business, but a strict policy of using company owned email accounts can help to minimize the problem.

Acceptable Use Policy

Almost any large corporation, as well as school, requires an individual to sign an acceptable use policy before using the network or computers owned by the organization.

Whether you want to construct a legal document for employees to sign is up to you.

At the very least employees should be instructed as to your requirements for how company software and computers are used.

  • Can people use your paper, printers and ink to print out things unrelated to work?
  • Can people check their personal email accounts and personal Facebook accounts while at work?
  • Are employees allowed to install software that you have not specifically approved? How would you feel about them installing a game and playing it while they are on the clock?
  • Can they use your internet connection to download movies and music, potentially making you liable for copyright violations?
  • Are employees allowed to take home a copy of your customer list?

There are formal measures of control that can be technically applied to restrict usage of machines. In a small business situation it may be enough to let your employees know what you expect from them and to explicitly state what they are allowed to do with your machines and your network.

Security and Maintenance of Machines

Computers should generally be kept up to date with the latest security patches offered. Anti-virus software should be present on most machines as well. If you do not have professional IT staff or consultants that routinely monitor and maintain your machines you should make it the personal responsibility of your staff to make sure that their work computers are updated.

You should go around and check every machine once a month at the very least. Allowing the operating system and your anti-virus software to perform updates automatically can make the job much easier, though you still need to remember to renew your anti-virus subscriptions.

Retention of Data

In certain industries there are regulatory requirements for retention of data and emails. It is a good idea to keep copies of your old information.

Businesses are required to keep tax information for a number of years.

Scanning and shredding old documents is a great way to save space and still keep the records that are required. You can purchase a document scanner for a couple hundred dollars and turn boxes of old records into one disc. Keeping files in a digital format also makes it easier to keep a copy off-site in case of a natural disaster or other force majeure.

Another good example is video surveillance information. Imagine that you own a bar and you hear that one of your bartenders has been stealing from you. If you only keep your video for a few days then you may not be able to catch them in the act. If you have months of tapes to review you may have the video evidence you need to confirm your suspicions.

The point is that you need to make sure that the data your business generates is retained as long as required by law and for your own purposes.

Software Licensing

Using software without proper licenses can leave you liable. Do not install or use commercial software that you have not paid for. Proper documentation, including receipts need to be kept of when software was purchased and how many licenses are purchased.

Do not let your employees install arbitrary software without your specific approval.

Many people will think along the lines of, "I only use Adobe Photoshop once a year so why should I pay $500 for it". Using pirated software is illegal and there are often free alternatives available.

At the very least you should keep a record of the serial numbers and the original install disks in a secure location.


Developing formal policies can require considerable effort. The areas mentioned in this article are by no means comprehensive. If you run a business, you should be aware of these issues and take measures to address them.

About the author

Bob Lindquist is an expert consultant with extensive experience building web sites, databases and performing internet marketing work for his clients.  He has over 20 years of experience working with clients from a wide variety of industries along with a degree in Computer Science.  Bob is a professional member of the Association for Computing Machinery.

In his free time, Bob is a volunteer Firefighter / EMT and has served on the boards of several not-for-profit groups.

If you are interested in talking about a potential project, use the contact form on