Do you have employees who work remotely? If so, you are in good company. Nearly 60 percent of companies allow remote workers, according to a 2013 survey by the Society for Human Resource Management. Still, one thing I’ve noticed among small businesses is a tendency to allow work-from-home arrangements without establishing a security policy. An unsecured computer is a great big welcome mat to hackers.

Nobody wants to spend time on administration, but putting together a security policy is time well spent. Review the five key elements of a remote workforce security policy to see why they are so important:

1. Train your team. 

Be sure remote workers follow safety best practices. Even though it’s easy to believe that most people know basic safety precautions, such as don’t open an email from someone you don’t know, you should include basic protection tips. Have everyone set their laptops, smartphones, and tablets to lock when not in use and to use complex passwords (mix of uppercase and lowercase letters and numbers) to unlock them. Make it clear that not following the policy could result in losing the privilege of working remotely. Harsh? Maybe, but so is a catastrophic data loss.

2. Know who to go to. 

To minimize the impact of a potential security compromise, see that your employees know where to go when something goes wrong—or even seems wrong. Whether it’s an in-house IT person, an on-call consultant, or a third-party service provider, everyone should have these contacts close at hand. Specify what steps to take, in which priority, and how they should communicate the problem down the chain.

3. Limit access.

To help ensure your documents are protected from hackers and to control access, consider setting up a virtual private network (VPN). A VPN encrypts information and Internet traffic and allows you to channel remote users only to where you want them to go. For example, your sales team doesn’t need to get into your financial documents and your accountant probably doesn’t need to read about sales leads. And, of course, unwanted visitors such as hackers don’t need to see anything at all.

4. Issue your equipment. 

What employees do on their own laptops, tablets, and smartphones on their own time is their business. When those devices connect to your network, however, it’s very much your business. To lessen the risk from unauthorized or unmonitored devices, it’s safer to provide company-issued equipment. This way, you can keep important upgrades like security patches current across all devices, and data backup is easier. Double up on the protection and have one less thing to worry about by using an automated backup service.

5. Secure mobile devices.

Gadgets have become the core of our communications strategies. As such, you may want to keep a tighter rein on how they’re used during work hours. To help secure sensitive business data, consider a mobile device management (MDM) system. This gives you control over access to your data and lets you define which applications and devices can access it. If employees use their own tablets and smartphones, be sure they understand you need those to be secure as well by locking them when not in use and not using public Wi-Fi.

What steps have you taken to make your system safer for remote access? How easy was your policy to implement? I’d love to hear what you did.