Six IT Policies Every Professional Services Business Should Have Written Down

Your practice manager briefs a new staff member on their first day. She covers the usual things - client confidentiality, timesheets, where to find the kitchen. What she does not cover is what the new person should do with their personal phone at work, whether it is okay to use their Gmail account for client files, or what counts as an acceptable password. Three months later, a client record turns up in a personal Dropbox folder and nobody is quite sure whose fault it is.

This is how IT problems start in most small professional services businesses. Not through sophisticated attacks, but through gaps nobody thought to address. Staff are not trying to cause problems. They simply do what seems reasonable in the absence of clear guidance. Without written policies, you have no consistent standard and, if something goes wrong, no documented baseline to point to. Under the NZ Privacy Act 2020, your business is expected to take reasonable steps to protect personal information. An undocumented approach is a hard thing to defend.

The good news is that you do not need a 40-page IT manual. Six focused policies cover most of what a practice your size needs.

A password policy is the first one to get right. It should tell staff how to create a strong password, where it is acceptable to store one, and whether multi-factor authentication - a second confirmation step when logging in - is required. Compromised passwords are consistently the leading cause of data breaches, and a clear policy removes a lot of the guesswork.

An acceptable use policy sits above the others and covers how staff should use company devices and data day to day. This includes keeping software updated, where devices can and cannot be taken, and how client data should be stored and handled. If your team works remotely, it should also address whether family members can use work devices - a question that rarely comes up until it already has.

A cloud and app use policy matters more than most business owners realise. Staff often use personal tools like Google Drive, WhatsApp, or free file-sharing apps for work tasks because nobody told them not to. That creates what IT people call shadow IT - business data sitting in applications your practice has no visibility over and no control of. A simple policy listing approved tools, and requiring staff to check before using something new, closes most of that risk.

If staff use their personal phones for work - taking client calls, reading emails, accessing practice systems - a bring-your-own-device policy sets the rules. It should cover what security settings are required on personal devices used for work, and whether the practice contributes to the phone bill. Leaving this undocumented creates both a security gap and an expectation gap.

A Wi-Fi use policy addresses what happens when staff work from a café, airport, or client site. Public Wi-Fi is not secure, and logging into practice systems over an unprotected connection can expose credentials. The policy should require the use of a VPN - a secure, encrypted connection that protects data in transit - whenever staff are not on a trusted network.

Finally, a social media policy does not have to be restrictive. It just needs to be clear. When is personal social media use acceptable during work hours? What can staff say publicly about the practice or clients? Are there areas of your premises that should not appear in photos posted online? A short, plainly worded policy answers those questions before they become an issue.

Getting these policies written, communicated, and kept up to date is not something most practice managers have time to do alone. A managed IT provider can document these policies for you, make sure they reflect how your business actually operates, and review them when your tools or team change. If you want to understand where your current setup sits, managed IT support for professional services businesses is a good place to start.

ITstuffed works with professional services businesses across Canterbury to get the basics right. A 15-minute IT Fit Check is a good way to find out where the gaps are.