Which electronic communications do you have to consider for such a policy? Email? Social Media posts? VoIP calls? Texting? Chatbot conversations? WhatsApp?

The answer is: All of them.

An Electronic Communication Policy (ECP) is a comprehensive document that clearly expresses your plan and its repercussions. Here is what you need to know to get started.

Eight ECP Must-Have Elements

1. Establish proper usage rules.
   Employees must know that all electronic communications, even if encrypted, are not confidential or necessarily secure. Therefore, they always need to keep messaging very professional on all mediums. You must also address how much personal use and dialog will be tolerated. For example, eliminating all personal texting is probably not realistic or enforceable. However, if you provide each employee with a company phone, you may be able to limit the amount of texting, and you can undoubtedly see the conversation thread. These rules must include disciplinary actions for violations.
    
2. Interval training on phishing methods.
   Help your workforce identify suspicious communications and remind them to report them. This training needs to occur monthly or quarterly.
    
3. Know your regulations.
   If you work in healthcare, you must follow HIPAA security rule standards. If you work in finance, FINRA has requirements regarding the retention length required for digital communications. The Department of Justice has its conditions. The point is, be sure to know the requisites for your field.
    
4. Ensure your company monitors and blocks specific software installations.
   If you want to ensure employees aren’t susceptible to spear phishing, don’t let them log onto their social media and messaging channels while on your computer or smartphone.
    
5. Periodically spot-check devices for violations.
   Ensure employees do not log onto personal email or social media accounts or download PDFs from websites.
    
6. Establish one contact that employees can go to if they have questions or concerns.
   In addition, make it easy for employees to report violations as they see them to that person or an anonymous hotline.
    
7. Move toward MFA logins.
   Multi-factor authentication (MFA) involves simultaneously using three or more verification mechanisms. Access is granted only if the person seeking access can complete all requirements.
    
8. Outsource Cybersecurity.
   In addition to all the practices listed above, you will still require 24/7 monitoring for network vulnerabilities and to stop attacks in their tracks.