As the use of computers becomes more built in to business operations employees naturally spend an increasing proportion of their time working at them. Working? Really? With temptations such as chat, streaming video, blogs, social networking and myriad other interesting sites (weather, maps, pornography, music, games, gambling, shopping, sports) it’s no wonder that surveys such as Websense’s annual Web@Work study reveal a depressing incidence of non-work related Web surfing by employees.
And its depressing not just because of the loss in productivity due to the amount of time wasted on such activities. These private activities, because they take place at the workplace using work computers, can entangle the business in legal prosecution cases related to their illegal use. Classic cases of work computer abuse include the employee who managed an eBay store from work selling his company’s inventory and another who set up the company server to run his gambling site. Downloading sexist materials and sharing them among workmates or sending them on to outsiders puts the business at risk of a sexual harassment charge. There are technical issues too - non-business internet use can soak up bandwidth slowing the company network server and open up computer records to infection by malware, trojans and viruses.Managing the risks that arise from non-business use of business computers is a challenging task. It needs to be addressed on a number of fronts.
Develop a formal policy outlining what is considered acceptable use of computers and the internet. This sort of policy is usually referred to as an internet Acceptable Use Policy (AUP). AUPs can include any provisions for private use of company computers, for example, if an employee on lunch or coffee break can send private emails or surf approved sites. The AUP must drive home three key ground rules:
Computers are company property
They are for company business - either exclusively or with specific provisos for private use
The company reserves the right to monitor the use of its computers and inspect all files on them
The first step in an education programme involves making sure that every employee receives a copy of the AUP and understands its provisions. They should also be asked to sign off on having read and understood it. Outside that, employees need to be sensitised to the risks they expose themselves and their business to, particularly the legal penalties that can result from computer abuse. Workshops, team meetings and articles in the company newsletter are good ways to keep people aware.
An AUP is of no value if it isn’t backed with specific actions that will be taken against an offending employee. These will range in severity commensurate with the type and degree of computer abuse from written warnings all the way up to termination.
Internet monitoring and control:
Powerful monitoring software that can track and report sites visited is available. There is a natural reluctance to use this solution as a matter of course even though it is part of the AUP. Questions arise about violation of privacy and the detrimental effects on morale of ‘spying’ on employees. Nevertheless, this sort of software should be installed even if not deployed - or deployed only randomly for the sake of establishing if the AUP is being adhered to within the business. Filtering software can be used to prevent employees from accessing sites, software and other connections that may violate the company’s AUP and endanger its networks and systems.