In 2022, a single employee at Uber received a flood of multi-factor authentication push notifications, got frustrated, and approved one. That decision gave a teenage threat actor access to Uber's internal systems, Slack, and cloud infrastructure. An acceptable use policy cybersecurity framework — one that specifically addressed MFA fatigue attacks and reporting obligations — could have changed the outcome of that breach. Not because policies are magic. Because policies set the behavioral baseline that makes every other security control work.

If you're searching for guidance on building or improving your organization's acceptable use policy, you're in the right place. I've spent years helping organizations draft, enforce, and train on these documents. Here's what actually works — and what gets people fired or breached when it doesn't.

What Is an Acceptable Use Policy in Cybersecurity?

An acceptable use policy (AUP) is a documented set of rules that defines how employees, contractors, and third parties may use an organization's technology resources. This includes computers, networks, email, cloud services, mobile devices, and data storage. In a cybersecurity context, the AUP is the behavioral contract between your organization and everyone who touches its systems.

The AUP isn't a suggestion box. It's an enforceable document that, when done right, reduces your attack surface by eliminating ambiguity. Employees can't follow rules they've never seen. And your legal team can't hold anyone accountable for violations that were never defined.

The $4.88M Reason Your AUP Can't Sit in a Drawer

IBM's 2023 Cost of a Data Breach Report put the global average cost of a breach at $4.45 million. In the United States, that figure hit $9.48 million. A huge percentage of those breaches trace back to human decisions — clicking a phishing link, reusing credentials, connecting to unsecured Wi-Fi, or sharing sensitive data on unapproved platforms.

Every one of those actions should be addressed in your AUP. But here's the gap I see constantly: organizations write the policy, file it in SharePoint, and never mention it again. The 2023 Verizon Data Breach Investigations Report found that 74% of all breaches involved the human element, including social engineering, errors, and misuse. Your acceptable use policy cybersecurity program has to be alive — trained, tested, and enforced — or it's just paper.

What a Strong AUP Actually Covers

I've reviewed hundreds of acceptable use policies. The weak ones read like corporate boilerplate. The strong ones are specific, scenario-based, and updated at least annually. Here's what yours needs to include.

1. Scope and Applicability

Define exactly who is covered. Full-time employees, part-time staff, interns, contractors, temporary workers, and any third party with access to your systems. If your policy doesn't explicitly cover contractors, you've got a hole big enough for a threat actor to walk through.

2. Authorized Use of Systems and Data

Spell out what's allowed. Can employees use company laptops for personal browsing? Can they install browser extensions? Can they access company email from personal devices? If you don't answer these questions, your employees will answer them for you — and you won't like the results.

3. Prohibited Activities

This section needs teeth. Be explicit about what's off-limits:

  • Installing unauthorized software or browser extensions
  • Using company credentials on third-party sites
  • Sharing passwords or authentication tokens
  • Connecting to company networks via unsecured public Wi-Fi without a VPN
  • Storing sensitive data on personal cloud storage accounts
  • Disabling or bypassing security tools like endpoint detection or multi-factor authentication
  • Accessing systems or data outside the scope of their role

4. Email and Communication Rules

Email remains the top initial attack vector. Your AUP should address phishing reporting procedures, rules about opening attachments from unknown senders, restrictions on auto-forwarding company email to personal accounts, and guidelines for verifying financial requests. The FBI's Internet Crime Complaint Center (IC3) reported that business email compromise alone caused over $2.7 billion in losses in 2022. Your email policy isn't a nice-to-have — it's a financial firewall.

5. Data Classification and Handling

Employees need to know the difference between public, internal, confidential, and restricted data — and the rules for each. Can confidential data be emailed? Can it be stored on a USB drive? Can it leave the building on a laptop? If your AUP doesn't answer these questions with clarity, your data loss prevention program is built on sand.

6. Remote Work and BYOD

The post-pandemic workforce made this section non-negotiable. Address minimum security requirements for home networks, mandate device encryption, require VPN usage, and define what happens if a personal device with company data is lost or stolen. This is where acceptable use policy cybersecurity requirements meet the messy reality of the modern workplace.

7. Incident Reporting Obligations

This is the section most organizations get wrong. Your AUP must make it crystal clear that employees are required — not encouraged, required — to report suspected security incidents immediately. Lost devices, suspicious emails, unexpected MFA prompts, unauthorized access attempts. The Uber breach I mentioned earlier could have been contained faster if the employee had flagged the MFA bombardment instead of approving it.

8. Consequences of Violation

A policy without enforcement is a suggestion. Define the disciplinary actions tied to violations: verbal warning, written warning, suspension, termination, and in some cases, legal action. Reference your organization's HR policies to ensure alignment. Employees take policies seriously when they know violations have real consequences.

How the AUP Fits Into Zero Trust Architecture

If your organization is moving toward a zero trust framework — and in 2023, you should be — the AUP is a foundational document. Zero trust operates on the principle of "never trust, always verify." Your AUP codifies what verification looks like for human behavior.

For example, zero trust demands least-privilege access. Your AUP should tell employees they may only access systems and data necessary for their specific role. Zero trust requires continuous verification. Your AUP should mandate that employees never share credentials and always use multi-factor authentication. These aren't separate initiatives. The AUP is the human layer of your zero trust strategy.

NIST's Special Publication 800-63B provides detailed guidance on digital identity and authentication best practices that should inform your AUP. You can reference it at NIST SP 800-63B.

Training Turns Policy Into Practice

Here's what I've seen kill acceptable use policies more than anything: no training. You can write the best AUP in the world, get it signed by every employee, and still suffer a breach because nobody actually read it.

Security awareness training is the delivery mechanism for your AUP. Not a one-time onboarding video. Ongoing, scenario-based training that puts employees in front of realistic situations they'll actually encounter. What does a phishing email look like? What do you do when someone calls claiming to be from IT and asks for your password? What's the process when you accidentally email a confidential file to the wrong person?

If you're building a training program from scratch or refreshing an outdated one, start with a comprehensive cybersecurity awareness training course that covers these exact scenarios. It gives your employees context for every rule in your AUP.

Phishing Simulation: The AUP Stress Test

A phishing simulation program is the most direct way to test whether employees are following your AUP. Send realistic simulated phishing emails. Track who clicks. Track who reports. Use the data to identify high-risk departments and individuals who need targeted coaching.

This isn't about punishment — it's about measurement. You can't manage what you can't measure. CISA recommends regular phishing exercises as a core component of any cybersecurity program, and their guidance at CISA Cybersecurity Best Practices is worth bookmarking.

For organizations ready to implement structured phishing simulations alongside policy training, explore phishing awareness training designed for teams. It ties directly to the behavioral expectations your AUP defines.

Real Enforcement: Lessons From FTC Actions

The FTC has made it clear that having a policy isn't enough — you have to enforce it. In its action against Drizly in 2022, the FTC cited the company's failure to implement and enforce basic security practices that were, in some cases, already part of their own internal policies. The CEO was personally named in the order. That's a precedent every executive should take seriously.

Your AUP needs to be a living document with an enforcement mechanism. Quarterly reviews. Annual updates. Acknowledgement signatures. Documented violations. If you can't show an auditor or regulator that your policy was actively enforced, it won't protect you in an investigation.

Common AUP Mistakes I See Repeatedly

After years of reviewing these documents, here are the patterns that get organizations in trouble:

  • Too vague: "Employees should use good judgment" isn't a policy. It's a hope.
  • Too long: A 40-page AUP that reads like a legal brief won't get read. Keep it under 10 pages. Use plain language.
  • No update cycle: A 2019 AUP doesn't address AI tools, modern ransomware tactics, or current social engineering techniques.
  • No training tie-in: The policy exists in a vacuum, disconnected from onboarding, annual training, and phishing simulations.
  • No mobile device coverage: If employees access company email on personal phones — and they do — your AUP must address it.
  • No cloud services rules: Shadow IT is rampant. Employees use Dropbox, Google Drive, ChatGPT, and dozens of other tools without IT approval. Your AUP needs a clear cloud services clause.

Building Your AUP: A Practical Checklist

If you're starting from scratch or rewriting an outdated policy, follow this framework:

  • Assemble stakeholders: IT, security, legal, HR, and at least one business unit leader.
  • Audit current technology usage — you need to know what's actually happening before you write rules about it.
  • Draft the policy using plain language. Target an 8th-grade reading level.
  • Include specific examples and scenarios. "Don't click suspicious links" becomes "If you receive an email requesting urgent payment, verify the request by calling the sender directly using a known phone number."
  • Route through legal review to ensure compliance with HIPAA, PCI-DSS, GDPR, or whatever regulatory frameworks apply to your organization.
  • Publish and distribute with a mandatory acknowledgement signature.
  • Train immediately. Don't wait for the next training cycle.
  • Schedule quarterly reviews and an annual full revision.

The AUP Is Your Cybersecurity Culture Document

Every security framework — NIST CSF, ISO 27001, CIS Controls — assumes you have an acceptable use policy. It's not optional. It's foundational. But more than a compliance checkbox, your AUP is the clearest signal of your cybersecurity culture. It tells employees what matters, what's expected, and what happens when expectations aren't met.

I've seen organizations with seven-figure security budgets get breached because an employee plugged in a USB drive they found in the parking lot. The technology was there. The policy wasn't — or wasn't trained on. Your acceptable use policy cybersecurity posture is only as strong as your weakest-trained employee.

Start by getting the policy right. Then invest in the training that makes it stick. That combination — clear rules, real training, measured enforcement — is what separates organizations that get breached from organizations that catch the breach before it starts.

The Verizon 2023 DBIR is available at Verizon DBIR and remains one of the best resources for understanding the threats your AUP should address. Read it. Then update your policy accordingly.