April 25, 2017
Your employees need guidance when it comes to acceptable uses of the Internet in the workplace. This can help avoid misuse and exposing your business to security risks and legal liability.
The guidance should come from a written policy that clearly defines what is — and is not — acceptable. Each employee should read, agree to, and sign off on the restrictions.
Setting limits on the use of the Internet at work can be a highly charged situation because employees may view restrictions as an attack on privacy or responsibility. But courts have ruled that employees have no expectation of privacy when using workplace computers.
In addition, laws controlling electronic monitoring vary by state, but if your organization obtains employees’ consent your business will generally be safe from claims of invasion of privacy. Nevertheless, it’s a good idea to get some legal advice.
Start your policy with an introduction that clearly states your organization’s position on personal use of the Internet during working hours and, if you allow it, after hours and during lunch breaks.
Other key elements of all acceptable use policies include:
E-mails – Your business should monitor e-mail, and set consequences for its misuse. Electronic messages and letters are core to most companies’ use of the Internet and they can be the most troublesome — cutting productivity, undermining security and potentially exposing the organization to legal liability.
The policy must address corporate confidentiality, downloading attachments, inappropriate messages, and e-mail archiving. Warn employees that:
- One carelessly and inadvertently sent e-mail attachment can expose a business plan, sales results, customer information or salary data to a multitude of outsiders.
- Nothing sent over the Internet is private without some type of encryption technology.
- E-mails can generate legal liabilities such as claims of sexual harassment, libel, copyright violations, hate speech and stalking. E-mails are a written record and your organization can be held liable for what is in them. The policy should explain that even if an e-mail is deleted, it can remain on the organization’s email server and, of course, the recipient still has a copy.
- Lay out regulations for archiving e-mails. Depending on your type of business, you may have to explain that under Securities Exchange Commission regulations or the Sarbanes-Oxley Act your organization must archive e-mails for a set amount of time.
Surfing – Personal surfing of the Web generally should be banned. Beyond that, however, permission to surf the Internet really depends on the job. The policy toward surfing should be established in both the acceptable use policy and job descriptions.
Some employees need more freedom to search through websites than others. For example, creative or marketing personnel will need to monitor the competition and look for inspiration on the Internet. Other employees, however, will need limited access to work-related sites or external applications. This should be clear in the policy.
Install software that monitors surfing and ban employees from using file-sharing software to download such copyrighted material as music and videos. Employees also should be banned from distributing any other types of copyrighted material without permission from the copyright holder. Delete any file-swapping software that may already have been installed.
Security – Your organization’s network must remain secure, and this goes beyond firewalls, intrusion detectors, anti-virus software and other technology your IT department puts in place. Your organization must educate its employees in such safety precautions as:
- Selecting strong passwords that use upper and lower case letters, numbers and randomly placed punctuation. Strong passwords should be long and use one or more special character such as @, #, %, etc. The password should be easy to type, making it harder for someone to look over an employee’s shoulder and steal it. As an extra precaution, passwords should be changed every six months.
- Recognizing and avoiding hacker tricks such as phishing.
Your organization’s acceptable use policy should be enforced by the IT department or human resources, with one person given overall responsibility.
In the end, a strong policy with serious consequences for violations will help ensure the security of your company’s data, including financial information, strategic growth plans, and private information about individuals you may have stored on your servers.
An accounting firm or law firm with experience in technology issues may be able to assist you in developing a strong acceptable Internet use policy that helps protect your organization.