Running a business without documented IT policies is a bit like driving without insurance. Most of the time nothing happens. But when something does, you quickly discover how exposed you were.
IT policies have a reputation for being dry, legalistic documents that only large enterprises bother with. That reputation has put a lot of small and mid-sized businesses off creating them. The result is that staff are using company systems, devices, and data without any clear boundaries in place — and the business has no recourse when something goes wrong.
This post covers the core policies every SME should have written down, what each one should contain, and the specific risk you are carrying without them.
Why Policies Matter More Than You Think
Before getting into each one, it is worth addressing the common pushback: we are small, everyone knows what is expected, we do not need formal documents.
The issue is that “everyone knows” only holds up until someone leaves, someone new joins, or something goes wrong. When a staff member takes client data to a competitor, uses a personal AI tool to process sensitive business information, or leaves without returning a company laptop, a verbal understanding is worth nothing. A signed, documented policy is.
Policies also matter for cyber insurance. Insurers are increasingly asking for evidence of documented controls before agreeing to pay out on claims. An Acceptable Use Policy, a Password Policy, and a formal security framework can make the difference between a claim being honoured and being rejected.
And they matter for compliance. Under UK GDPR, you are responsible for demonstrating how your organisation handles personal data. Having documented policies is part of that demonstration. The ICO does not accept “we had a chat about it” as evidence.
1. Acceptable Use Policy
The Acceptable Use Policy is the foundation. It sets out what staff can and cannot do with company IT systems — computers, phones, email, the internet, cloud tools, everything.
What it should cover:
- What constitutes acceptable use of company devices and internet access
- What is prohibited — personal use limits, inappropriate content, illegal activity
- Rules around company email — not to be used for personal accounts, not to be forwarded to personal accounts, not to be used to make derogatory comments about clients or colleagues
- Software installation — staff should not install unapproved software on company devices
- Remote access rules — VPN requirements, restrictions on using public Wi-Fi without protection
- Monitoring — staff should be informed that company systems may be monitored
- The consequences of breaching the policy
Without an AUP, you have no formal basis for disciplinary action if a staff member misuses a company system. You also have no documented evidence that staff were made aware of the rules — which matters significantly if a breach results in a GDPR investigation or an employment tribunal.
2. AI Usage Policy
This one is relatively new but has rapidly become essential. AI tools — ChatGPT, Microsoft Copilot, Gemini, and dozens of others — are now in daily use across most businesses, often without any formal guidance from the organisation.
The risk is that staff are feeding sensitive business information into external AI platforms without understanding where that data goes or how it is processed. Client names, financial figures, employee information, commercially sensitive details — all of it can end up in a system the business has no control over.
What it should cover:
- Which AI tools are approved for use and in what context
- What categories of information must never be entered into any AI tool — client personal data, financial information, employee HR data, confidential or commercially sensitive content
- The distinction between approved business-grade AI (such as Microsoft Copilot within an M365 tenant, which keeps data within your environment) and consumer-grade tools (free web versions, personal accounts)
- Whether AI-generated content used in client-facing work needs to be disclosed
- The consequences of breaching the policy
If your business has no AI policy, the probability that someone has already entered sensitive information into a consumer AI tool is high. The policy does not prevent staff from using AI — it directs their use into safer, approved tools and sets clear limits on what data should never be shared.
3. IT Equipment Policy
This policy covers the physical and practical side of company IT — who gets what, what condition devices need to be maintained in, and what happens when staff leave or equipment goes missing.
What it should cover:
- What equipment the company provides and to whom
- Staff responsibilities for looking after company equipment — reporting damage promptly, not leaving devices unattended, locking screens when away from a desk
- Whether personal use of company devices is permitted and to what extent
- What to do if equipment is lost or stolen — who to contact and how quickly
- The process for returning equipment when employment ends
- Whether equipment can be taken abroad and under what conditions
- Remote wipe — staff should be made explicitly aware that company devices may be remotely wiped if lost or when employment ends
Without an IT Equipment Policy, you have no formal basis for recovering devices from a leaver or taking action if company property is damaged through negligence. You also have no documented procedure for the critical step of remotely wiping a device that has gone missing.
4. BYOD Policy (Bring Your Own Device)
Many SMEs allow — or simply tolerate — staff using personal devices to access company systems. Whether that is checking work email on a personal phone or accessing SharePoint from a home laptop, it creates a data risk that an IT Equipment Policy alone does not cover.
What it should cover:
- Whether BYOD is formally permitted — the policy should either allow it with conditions or prohibit it entirely; there should be no grey area
- If permitted: which company systems can be accessed from personal devices
- Minimum security requirements for personal devices used for work — screen lock, current operating system, approved apps only
- Whether the company has the right to remotely wipe company data from a personal device if it is lost or when the employee leaves — this needs to be agreed explicitly before it is ever needed
- What happens to company data on a personal device when employment ends
- Prohibited actions — personal devices should access company data through approved cloud systems only and must not store it locally
The risk of not addressing this is significant. A staff member’s personal phone goes missing and company data is on it. A former employee retains access to company email through a personal device because access was never formally revoked. A documented BYOD policy creates the framework to manage both situations.
5. Remote Working Policy
Remote and hybrid working is now standard for a significant proportion of SME staff. The security challenges it creates are equally standard. The policies to address those challenges usually are not.
What it should cover:
- Security requirements for the home working environment — keeping the router firmware up to date, using a VPN where required, ensuring screens cannot be seen by others in shared spaces
- Which systems can and cannot be accessed remotely
- Rules on working from public places — coffee shops, airports, trains — and the precautions required (VPN active, screen not visible to others, devices never left unattended)
- Printing and physical documents — company documents should not be printed at home unless necessary and must be disposed of securely
- Incident reporting — what to do if a security incident occurs while working remotely, and who to contact
- What to do if personal and work use of a home device creates a conflict
Without a Remote Working Policy, staff are connecting to your systems from environments you have no visibility into. When something goes wrong, you have no documented standard that was in place and no basis for demonstrating that reasonable precautions were required.
6. Password and Access Policy
Password hygiene is one of the most consistently overlooked areas of business security, despite being one of the most straightforward to address. A Password and Access Policy sets the standards your organisation operates to.
What it should cover:
- Minimum password length requirements — the NCSC now recommends length over complexity; a long passphrase is more secure than a short string of random characters
- Prohibition on password reuse, particularly between work and personal accounts
- The requirement to use a password manager for all work accounts
- Multi-factor authentication — which systems require it (the answer should be all of them, without exception)
- Rules on sharing passwords — they should not be shared, and shared accounts should be replaced with individual access where possible
- Admin accounts — privileged accounts should be separate from day-to-day user accounts
- What to do if a password is suspected to have been compromised
- Leavers — access must be revoked on the final day of employment, not when someone gets around to it
Compromised credentials remain one of the leading causes of business account breaches. A documented policy sets the expectation. Pairing it with a password manager and enforced MFA makes that expectation achievable rather than aspirational.
7. Data Retention and Disposal Policy
How long do you keep data? Where is it stored? What happens when it is no longer needed? These questions are directly relevant to UK GDPR, and most SMEs cannot answer them with any confidence.
What it should cover:
- What categories of data the business holds and how long each should be retained
- Where data is stored — cloud platforms, local servers, staff devices, physical files
- The process for securely deleting data when retention periods have passed
- How physical documents containing personal data must be disposed of — cross-cut shredding, not the general office bin
- How devices must be wiped or destroyed when decommissioned — this includes old phones, laptops, and USB drives, not just servers
- Email — inboxes accumulate years of personal data; there should be a documented approach to managing and clearing them periodically
Holding data longer than necessary is a UK GDPR compliance issue. Disposing of it carelessly is equally problematic. A documented policy demonstrates that your business has considered both and has a defined approach to each.
8. IT Joiners and Leavers Process
Strictly speaking this is a process document rather than a policy, but it belongs alongside the others because the risks of not having it are just as real.
When someone new joins, there should be a documented checklist: which accounts to create, what access to grant, what equipment to issue, and which policies to issue and obtain a signature on.
When someone leaves, the same checklist runs in reverse: accounts to disable, access to revoke, equipment to recover, data to check for. That checklist should be unambiguous — access is revoked on the last day of employment, not after a period of grace, not when someone gets around to it, and not conditional on whether the departure was amicable.
The risks of getting this wrong are considerable. Disgruntled leavers who retain access to email or cloud systems can extract data, delete files, or simply read things they should no longer have sight of. Former staff who were never removed from admin accounts represent an ongoing security exposure. Equipment that is not recovered is a data breach waiting to happen.
A straightforward, documented joiners and leavers process eliminates most of this risk at almost no cost.
Getting These in Place
Most SMEs do not have these policies because no one has had the time to write them — not because the need is not recognised. They do not need to be lengthy documents. They do not need legal sign-off for a business of ten or fifteen people. But they do need to exist, be issued to staff, be signed, and be reviewed at least annually.
We offer pre-built policy packs for SMEs — a complete set covering everything in this post, written in plain English, and ready to customise with your company details. No legal jargon. No documents that run to forty pages and get filed and forgotten.
If you would prefer a conversation about what your specific business needs, or if you want someone to review what you already have in place, get in touch. We are happy to point you in the right direction.
