I've had the pleasure of meeting readers in New York and Washington, D.C. as part of Network World’s Remote Office Networking tour, and it's been great. Most of the attendees are large company IT folks, but the feedback they’re giving applies to companies of every size.

Take heart, if you're struggling with security issues for your three- or 30-person business, some attendees manage 20,000 remote users and have the same problems you have: how to let employees connect securely to the information they need when they're not in the office.

So let's talk about security, and the need for a security policy. All the rage in corporate IT, security policies outline exactly how users access network resources and the security responsibilities of the users to protect company information. Sometimes committees get involved and write a security policy so long it comes out in two large binders.

Here's a brand-new Gaskin Guideline: Your security policy loses half its readers for every page after the first one. In other words, if you have three pages, maybe a quarter of your users will read it. If you have five, maybe 7% will. I base this formula on years of watching users avoid reading things they don't like, especially poorly written mandates about subjects they avoid whenever possible.

If your security guideline is one page - and one page only - you can demand (and expect) that all users read and at least try to follow the guidelines.

Do you need a security policy if your company employees can all fit into the same car? Yes, if only to impress upon them how serious security issues are for companies large and small. You also need to write a security policy that clearly explains what you want, what you think is important and what you want employees to do.

One quick anecdote from an attendee in Washington, D.C.: "Executive management often says they understand security, but they only understand it intellectually, not viscerally. You can tell this is true when the CEO signs the security policy, then demands you make his password his initials."

That's the voice of experience, unfortunately. So what should your security policy say?

Every employee must protect company assets, and that means locking the electronic door just as you lock the door to the physical building. All data on company computers, including laptops, belong to the company and the user must take every reasonable step to back up the data and protect the computer from hackers. This means keeping the operating system, personal firewall, and virus protection software up to date and active on the computer. Passwords are personal and are not to be shared. Careless handling of company data can mean lost profit, lost revenue, and may create serious civil and criminal liabilities for the company and employees.