IT Policies and Procedures: 9 Critical Rules Every Small Business Must Have
Small businesses have real cybersecurity problems. But in many cases, the root cause is not a technical failure. It is a policy failure. The breach, the data leak, the ex-employee walking out with client files? Those situations rarely trace back to someone cracking a firewall. They trace back to nobody ever writing down the rules.
If you’re running a business with 5 to 50 employees, this guide is for you. Not the theoretical, enterprise version of IT policies and procedures. The real, practical version that addresses what we actually see going wrong when we start working with a new client in Kansas City.
A quick note before we dive in: This article is written from an IT perspective, based on what we see in the field every day. It is not legal or HR advice. The examples below are meant to illustrate what good IT policies and procedures look like in practice, not to serve as legally binding documents. Every business is different, and what is actually enforceable in your organization will depend on your industry, your state, and how your policies are implemented. Our recommendation: work with three people when building out your policies. A qualified attorney, an HR professional, and an IT partner who understands how your business actually uses technology day to day. That last part is where we come in. We’d be glad to help.
What Are IT Policies and Procedures?
Before we get into the specifics, let’s clear up the difference between the two. They’re not the same thing, and treating them as interchangeable is one of the first places businesses go wrong.
IT policies are the rules. They answer: what are we allowed to do? A password policy, a BYOD policy, an acceptable use policy: these set expectations and standards across your organization. Policies tell people what the boundaries are.
IT procedures are the how. They answer: how do we actually do this? A procedure for onboarding a new employee, offboarding a departing one, or responding to a suspected breach: these are the step-by-step playbooks that make policies executable.
You need both. Policies without procedures are just good intentions. Procedures without policies lack the authority to be enforced. Together, they create a framework that protects your business and gives your team clear expectations.
Why IT Policies Matter More Than Most Small Businesses Realize
It’s easy to think IT policies and procedures are something large enterprises worry about. They’re not.
Small and mid-sized businesses are increasingly targeted precisely because attackers know their defenses tend to be informal. A single employee plugging a personal device into the company network, or pasting client data into a free AI tool, can create the same exposure as a misconfigured enterprise system. The difference is that small businesses rarely have the resources to detect or respond to it.
The cost of getting this wrong is real. According to Verizon’s 2024 Data Breach Investigations Report, 68% of breaches involve a non-malicious human element: someone making a preventable mistake. Most of those mistakes are preventable with clear policies and basic training.
The Three IT Policy Gaps We See Most Often
After working with dozens of small businesses across Kansas City, the same IT policies and procedures gaps show up over and over. Here’s what they are and why they matter.
1. No BYOD Policy (Bring Your Own Device)
When a company is getting started, the instinct is to move fast. Employees use their personal phones, personal laptops, whatever gets the job done. Nobody stops to ask: what happens to company data on that personal device?
Here’s the reality. That employee’s personal laptop might be running outdated software. It might be shared with a family member. It might be loaded with consumer apps that have weak security or that quietly sync data to personal cloud accounts. And your company’s intellectual property (client lists, proposals, financial records, contracts) is now sitting on it.
When that employee leaves, or their device gets lost or stolen, your data goes with it. You have no ability to remotely wipe a personal device you don’t manage. You may not even know what was on it.
The numbers back this up: according to JumpCloud’s 2024 SME IT Trends report, more than 90% of security incidents involving lost or stolen devices resulted in an unauthorized data breach. And nearly 48% of organizations have experienced a breach directly linked to an unsecured personal device.
What a BYOD policy should cover:
- Which personal devices are permitted to access company systems
- Minimum security requirements (screen lock, device encryption, up-to-date OS)
- Whether IT can install device management software (MDM) on personal devices
- What happens to company data when an employee leaves or a device is lost
- Which company applications can and cannot be accessed from personal devices
A BYOD policy doesn’t mean banning personal devices across the board. But we do have a strong opinion here: when it comes to laptops and desktops, company-owned devices are non-negotiable. A personal laptop is a personal laptop. You can’t fully control what else is on it, how it’s configured, or what happens to it after someone leaves. For those devices, the risk simply isn’t worth it.
Mobile phones and tablets are a different conversation, and a well-written BYOD policy can manage that risk reasonably well. But for anything where an employee is doing substantive work with company data, our recommendation is always to provide the device. It protects the business, it protects the employee, and it makes offboarding infinitely cleaner.
Where BYOD does apply, define the rules before the situation forces you to make decisions in a crisis.
Example BYOD policy language (for illustration only, not legal advice):
“Employees who use personal devices to access company systems must register their device with IT, enable full-disk encryption, and use a company-approved password manager. The company reserves the right to remotely wipe company data from registered devices in the event of loss, theft, or employment termination. Employees should not store company data in personal cloud accounts including personal Google Drive, Dropbox, or iCloud.”
2. No Shadow IT / Acceptable Use Policy (The Dropbox Problem)
The most common version we see: an employee needs to share a large file. They sign up for a free Dropbox account, share a folder with a client or contractor, and move on. Nobody thinks much of it.
But that Dropbox account belongs to the employee, not the company. When they leave, whether on good terms or bad, they still have access to whatever was in that folder. The files live outside your company’s control. You can’t revoke access, audit activity, or even know what was shared.
The same problem applies to any unauthorized tool: personal Gmail used for work emails, a free project management app a team adopted on their own, a personal Google Drive full of company documents. Research shows that one in ten companies has suffered a data breach directly linked to shadow IT, and the problem is growing as the number of available tools expands.
An acceptable use or shadow IT policy defines what tools are approved, how data should be shared, and what employees should do when they need a tool that isn’t on the list. It’s not about being restrictive. It’s about making sure company data stays in places the company actually controls.
What a shadow IT / acceptable use policy should cover:
- Approved tools for file sharing, communication, and project management
- The process for requesting approval of a new tool
- Prohibition on using personal accounts for work data
- Consequences of using unapproved tools with company data
- What happens to data in unauthorized tools when an employee leaves
Example acceptable use policy language (for illustration only, not legal advice):
“Employees must use only company-approved tools for storing, sharing, or transmitting company data. Approved file sharing platforms include [Company Name]’s Microsoft 365 environment. Use of personal Dropbox, Google Drive, or other personal cloud storage accounts for company files is prohibited. Employees who identify a need for a new tool should submit a request to IT for evaluation before use.”
For a deeper look at how to approach security tools and frameworks, see our guide to cybersecurity frameworks for small businesses.
3. No AI Policy
Three-quarters of workers were using AI tools at work in 2024, according to Microsoft’s Work Trend Index. But only 44% of US businesses have any formal policy governing how staff use AI tools, according to research from Deel. The gap is widest at small businesses.
Here’s what’s happening right now at companies without an AI policy: employees are using ChatGPT, Gemini, Claude, Copilot, and dozens of other tools to do their jobs faster. That’s generally a good thing. The problem is what they’re putting into those tools.
Your marketing manager pastes a client proposal into a public AI tool to clean up the language. Your accountant uploads financial projections to get help with formulas. Your HR person asks an AI to summarize employee reviews. None of them think they’re doing anything wrong. They’re just trying to work smarter.
But research from 2025 shows that sensitive data makes up 34.8% of employee inputs into public AI tools, up from just 11% in 2023. Depending on the tool and its settings, data entered into a public AI assistant may be stored, used for model training, or accessible to the vendor in ways your business hasn’t consented to.
For businesses in regulated industries like healthcare, finance, and legal services, this isn’t a hypothetical concern, it’s a compliance issue. IBM research found that 20% of global organizations suffered a data breach in the past year due to shadow AI, meaning employees using unapproved AI tools without IT oversight.
What an AI policy should cover:
- Which AI tools are approved for business use (and which are prohibited)
- What categories of data may not be entered into AI tools (client PII, financial data, passwords, proprietary information)
- Whether employees should use personal AI accounts or company-provisioned ones
- Who owns work product created with AI assistance
- How to handle AI-generated content before publishing or sharing externally
Example AI policy language (for illustration only, not legal advice):
“Employees may use company-approved AI tools for productivity purposes. Approved tools include [list]. Employees must not enter client names, financial data, personal identifying information, passwords, or proprietary business information into any AI tool, approved or otherwise. Content generated by AI tools must be reviewed by a human employee before external distribution. Use of personal AI accounts for work tasks is prohibited.”
For more on the AI tools available to small businesses, see our overview of useful AI tools for small business.
The Full Set: Essential IT Policies Every Small Business Should Have
Beyond the three critical gaps above, here are the foundational policies that should be in place at any organization.
Password and Authentication Policy
Defines requirements for password complexity, the use of password managers, and multi-factor authentication (MFA). If you implement only one policy from this entire list, make it MFA. It stops the vast majority of account takeover attacks dead in their tracks.
This policy should cover: minimum password length and complexity, prohibition on password reuse, use of a company-approved password manager, and mandatory MFA on all company systems and email accounts.
For more on safe credential sharing practices, see our guide on how to share passwords securely.
Example language (for illustration only, not legal advice):
“All employees must use unique passwords of at least 14 characters for company accounts. Passwords must be stored in the company-approved password manager. Multi-factor authentication is required on all company email, cloud, and financial systems. Sharing of passwords between employees is prohibited except through the approved password manager’s secure sharing feature.”
Data Protection and Classification Policy
Defines what kinds of data your business handles, how sensitive each type is, and how each should be stored and shared. Not all data deserves the same level of protection. A client’s personal information requires different handling than a marketing asset.
Common classification tiers include: Public (can be shared freely), Internal (for employees only), Confidential (restricted access, must be encrypted), and Restricted (highest sensitivity, limited to specific roles).
Remote Work Policy
Covers expectations for employees working outside the office. This has become one of the most important policies for any business with hybrid or remote staff, and one of the most commonly missing.
Key elements: prohibition on using public Wi-Fi without a VPN, requirements for home network security, expectations for physical security of devices and work materials, and guidelines for video calls in non-private settings. See our overview of how managed IT services support remote and hybrid workforces for more context.
Incident Response Policy
What happens when something goes wrong? Who gets notified first? Who makes decisions? How is the incident documented?
A basic incident response plan means that the first time you face a ransomware attack or a suspected breach, you’re not improvising under pressure. For a real-world look at what incident response looks like without a plan, and with one, see our real-life ransomware battle story.
Key elements: what constitutes a reportable incident, who to notify internally and externally, steps for containment, and documentation requirements.
Software and Patch Management Policy
Defines who is responsible for keeping devices updated and how quickly critical patches must be applied after release. Outdated software is one of the most common entry points for attackers, and one of the most preventable.
Offboarding Policy
One of the most overlooked, and one of the most important.
When an employee leaves, how quickly are their accounts disabled? Who is responsible for revoking access to every tool they used, including any shadow IT they may have set up? What happens to company data on their device?
This is where the Dropbox problem becomes critical. Without a documented offboarding checklist that covers every tool and account, data walks out the door. We’ve seen it happen. See our deeper guide to cybersecurity and access management for more on why access control matters at every stage of employment.
What Makes IT Policies and Procedures Actually Work
Keep it readable. If your password policy reads like a legal contract, nobody will read it. Write in plain language. Short sentences. Clear expectations. The goal is understanding, not comprehensiveness.
Make it accessible. Policies that live in a shared drive nobody opens don’t get followed. Put them somewhere employees encounter regularly: your intranet, your onboarding checklist, your company handbook.
Train people on it. A policy announcement is not training. Walk employees through what the policies mean for their actual day-to-day work. Give real examples. Answer questions. Consider annual refreshers, especially as policies get updated. For guidance on how often to train employees on security topics, see our guide on cybersecurity awareness training.
Review it at least once a year. The AI policy didn’t exist three years ago. Your remote work policy from 2019 may not reflect how your business actually operates. Technology changes fast. Your policies need to keep up.
Enforce it consistently. Policies that get selectively enforced lose their credibility quickly. If the rules apply to everyone, apply them to everyone, including leadership.
IT Policies and Procedures Examples: What These Look Like in Practice
To give you a concrete sense of what well-written IT policies look like, here are a few reliable external resources with templates and examples:
- Smartsheet’s free IT policy and procedure templates: downloadable Word templates covering a range of policy types
- PDQ’s IT policy writing guide: practical breakdown of what to include and common mistakes to avoid
- Deel’s IT policy template guide: covers remote and hybrid workforce considerations
Use these as starting points, not finished products. Every business is different, and your policies should reflect your specific tools, your team, and your industry’s requirements. We strongly recommend having an attorney review any final policy documents before they go into effect.
Getting Started: A Practical First Step
If you’re reading this and realizing your IT policies and procedures have most of these gaps, don’t try to fix everything at once. Here’s a practical approach:
- Do a quick audit. Which of the policies above do you have? Which are missing entirely? Be honest.
- Start with the highest-risk gaps. For most small businesses, that means BYOD, shadow IT, and offboarding, in that order.
- Draft simple, one-page policies first. They don’t need to be perfect. A clear, readable one-pager beats a comprehensive document nobody reads.
- Communicate and train. Announce the new policies, explain why they matter, and give people a chance to ask questions.
- Build annual review into your calendar. Set a recurring reminder. Policies that don’t get reviewed get stale.
How Lockbaud Can Help
At Lockbaud, we work with small and mid-sized businesses across Kansas City to build IT infrastructure that’s actually secure, not just on paper. We’re not a law firm or an HR consultancy, but we are the team that walks into your business, learns how you actually work, and helps you put practical IT policies in place that your team will actually follow.
If your business is running without formal IT policies and procedures, or you’re not confident your current policies cover the gaps above, we’d be glad to take a look.
This article is intended for informational purposes only and reflects general IT best practices as observed by Lockbaud’s team. It does not constitute legal, HR, or compliance advice. Policy requirements vary by industry, state, and business size. Please consult a qualified attorney or HR professional before implementing formal policies in your organization.
