Having a clear policy on staff internet and email use can help stamp out inappropriate behaviour, avoid legal issues, and lift productivity.
By Sarah Stokely
The email porn scandal that claimed the jobs of 25 employees of the Commonwealth Department of Agriculture and Fisheries in July was a timely reminder that employee misuse of the internet at work can have a huge and negative impact on a business.
Employee abuse of internet facilities can reduce productivity, affect the morale and culture in a workplace and increase internet use charges.
Also, organisations that don't take steps to avoid or stamp out misuse of their internet and computer networks can expose themselves to legal action and very poor publicity.
Having a clear policy governing the use of corporate computer networks, internet and email facilities in the workplace can go a long way towards avoiding problems. It can help stamp out inappropriate behaviour, avoid legal issues, increase staff productivity and lower internet costs.
It can also provide employers with some legal backup if it becomes necessary to take action against an employee who breaks the policy.
But the problem isn't just about employees goofing off and letting their company pick up the download tab. There are also legal risks under Australian federal and state anti-discrimination and sexual harassment laws.
Under the Federal Sex Discrimination Act, employers are liable for the unlawful behaviour of employees if that behaviour was found to have been in connection with the individual's employment.
A workplace that in any way condones or turns a blind eye to computer-related activities such as the sharing or display of inappropriate material could well be liable if an employee complains about harassment.
Often businesses lack awareness about how employees are putting their email and web facilities to use - so consultation with your IT manager may well be the first port of call.
It's worth finding out how much of your web traffic is being taken up by non-work-related downloads. John Addeo is security business development manager for Dimension Data, an IT integrator and service provider. 'A lot of it is harmless but it all impacts on productivity and bandwidth,' Addeo says of employee internet browsing.
Because of the increasing incidence of email spam luring web surfers to phishing websites (which attempt to extract personal details such as credit card numbers), Addeo says that for network security reasons, a company's internet policy should cover both web and email usage. 'HR, legal and IT need to get together and work out what's appropriate for their business,' Addeo says.
Marketing should also have an input, especially if employees are sending inappropriate emails using the firm name. Internet security software can be used to guard against particular threats, such as spam and viruses. There are also products designed to control or filter the internet traffic going in and out of a business.
It is also possible to block the use of P2P downloading software, or block access to particular sites such as YouTube or MySpace.
If you make this decision this would need to be done in the context of your HR culture. You may find some people resent working long hours and then being blocked from social networking sites.
There are several security packages available that address a range of internet threats. Some examples include the Websense Security Suite, which protects against web-based threats, including spyware and keyloggers. The Sophos Small Business Suite, which is aimed at companies that have a tight budget and no full-time IT staff, includes a range of security tools that prevent many malware attacks.
Some products are aimed specifically at protecting against inappropriate or risky web surfing. Examples include the Sophos Web Security Appliance, and Clearswift's MIMEsweeper Web Appliance and MIME-sweeper for Web (products).
It's also possible to limit or control the size and type of attachments being emailed into or out of an organisation. Companies concerned about the loss of sensitive information can use keyword controls to identify and block particular data (for example, credit card numbers) from being sent out. Clearswift's MIMEsweeper Web Appliance provides just this sort of control.
According to an international poll conducted by Clearswift earlier this year, 51 per cent of companies didn't know if they had lost confidential information through social media sites such as YouTube and MySpace, or through web mail or blogs. But the use of these sites by employees is considerable. 'Our research showed 71 per cent of employees use web mail, 62 per cent use forums and 56 per cent use blogs,' says Peter Croft, managing director for Clearswift Asia Pacific. 'All of these are potential avenues for sensitive corporate information to leak onto the web.'
Taking control of your company's email or internet facilities isn't simply a case of turning off a tap. There are a number of legal and human resources issues to consider, not least of which is privacy. Monitoring of internet usage is a sensitive topic.
This is even more the case for email; even when using internet facilities at work, employees often have a perception and expectation of privacy. Employers need to ensure that their internet policy is in line with privacy laws, and that those policies are clearly communicated to staff.
The guidelines state that informing employees about what personal information is collected and held, and what is done with it, is an important privacy principle. Such information needs to be enshrined in organisational computer and email usage policies.
To maximise the chances of staff understanding and abiding by your internet usage policy - and minimising your legal risk - you must ensure that you keep staff informed of your policy and expectations regarding the use of computers, the internet and email facilities.
Decisions about whether staff email needs to be monitored or filtered must consider whether it's needed by the business, and how it can be implemented in such a way that staff are supportive rather than alienated.
It's quite possible that for some segments of the business, web access is necessary for staff to do their jobs, while for others it's a dangerous timesink. So different levels of internet access may be appropriate for staff according to the area of the business in which they work.
Social networking sites such as Facebook combine tools for professional networking as well as more 'timewasting' features such as private messaging. Individual businesses might need to weigh the business uses against the social ones.
Companies can also choose to permit some leeway for personal use such as internet banking, or allow personal browsing or email use at designated periods such as lunchtimes. 'Some companies don't want to play Big Brother,' Addeo says. 'They're happy to articulate the guidelines about what is appropriate internet usage, and trust staff will comply. Others are happy to say that sites like gaming, pornography or sports betting are never acceptable, and put a blanket ban on access to those sites.'
Your internet usage policy is not only about the use of technology. It's also about what behaviour is acceptable in the workplace. So don't rely on technical solutions such as web filters - make sure you educate your staff about your usage policy, and don't hesitate to enforce it.
Policy guidelines for computer, internet and email usage in the workplace
The policy should:
be publicised to staff and management should ensure that it is known and understood
be explicit as to what activities are permitted and forbidden
clearly set out what information is logged and who in the organisation has rights to access the logs and content of staff email and browsing activities
refer to the organisation's computer security policy. Improper use of email may pose a threat to system security, the privacy of staff and others and the legal liability of the organisation
outline, in plain language, how the organisation intends to monitor or audit staff compliance with its rules relating to acceptable usage of email and web browsing
be reviewed regularly in order to keep up with the accelerating development of the internet and reissued whenever significant change is made
