02
06
10
12
13
15
16
Contents
Misuse of the Internet - The Issues
Building an Acceptable Use Policy (AUP)
Example Acceptable Use Policy
Informing and Educating Users
Installing Appropriate Technology
Maintaining the Policy
Helpful Resources
>
70% of Internet porn traffic occurs between the hours of 9am
and 5pm.
(Businessweek.com)
>
32.6% of workers surf the Internet with no specific objective;
men are twice as likely to do this as women.
(emarketer.com)
>
30% to 40% of employees’ Internet activity is not business
related and costs employers millions of dollars in lost
productivity.
(IDC research)
>
Men are 20 times more likely to download pornography;
employees earning $75K to $100K annually are more than twice
as likely to download pornography as those making less than $35K.
(emarketer.com)
>
1 in 5 men and 1 in 8 women admitted to using their work
computers as their primary lifeline to access sexually explicit
materials online.
(MSNBC)
>
During work hours, 9% of employees earning under $35k surf
the net for a new job, while 11% of employees earning
$75k-$100k do the same.
(Greenfield Online)
>
Cyber-skiving accounts for 30% to 40% of lost worker
productivity.
(Businessweek.com)
Misuse of the Internet -
The Issues
Business has everything to gain from going onto the Web: new customers, more efficient administration, closer ties with business partners, access to infinite information sources, and keeping in touch with mobile employees. But the Web provides employees with the temptation to spend their time and use the resources for non-business ends. Controlling Internet usage is only one aspect of the e-business security issue, but it is one that is important to all businesses. The typical issues raised by casual surfing on the Internet are as follows:
Employee productivity
The information and resources available through the Internet can help employees to be more productive and effective. From vital online market information to last night's sports scores, games or chat rooms, you can get there with just a click. How many hours of lost productivity can your company afford?
Network resources
Combine recreational surfing with bandwidth-intensive activities such as streaming audio and video, MP3 downloads and image downloads, and you have a significant impact on your network performance that impedes business traffic.
Security
Unless you're careful, opening the door to the Internet also opens your company's door to the potential security breaches inherent in the cyber world. Network security issues become even more acute when the enterprise is linked to the global public network. Employees can use the Internet to send sensitive company information or to download material that could be infected with viruses, etc.
Legal liability
Letting employees surf anywhere on the Internet can lead them to stray to clearly inappropriate sites, sexually explicit sites and those promoting violence and hate speech. This kind of activity can lead to lawsuits, harassment charges and even criminal prosecution. Protect your employees and your company by promoting responsible Internet use.
Adverse publicity
Several major international companies have already been forced to dismiss employees that were found guilty of accessing illegal and offensive material through the Internet. Adverse publicity can clearly be very damaging.
Misuse of the Internet -
The Issues
“The Internet is remaking business… but it’s also the greatest way to waste time that the human race has ever invented.”
(
The Wall Street Journal)
HEADLINE
Examples of adverse publicity:
“30 SACKED FOR INTERNET PORN”
…fires staff who exchanged sex site images. (Evening Standard)
“SMUTTY COPS CRASH THEIR PCs”
The top brass are extremely embarrassed about the computers crashing because it was obvious to the technicians what had been going on.(The Sun)
“NET PORN ALERT AT WORK”
… sacking of three Downing Street workers for downloading hardcore images…(The Observer) Every employee using Internet resources should have a clear understanding of the legal issues involved. These include:
Sexual harassment as a result of bringing objectionable or sexually explicit material into the workplace. If an employee downloads objectionable materials - pornography, for example - and another employee sees it, your company could be liable. Even worse, if a user downloads materials that are illegal, your company might face criminal charges.
Copyright infringement can happen unintentionally. An employee downloads and uses a software program, a photograph or a proprietary document in all innocence, thinking that, because it's available on the Web, it's "free". It's not!
Misrepresentation can also occur unintentionally, particularly through the use of e-mail. Employees should know, and should make it clear to the people with whom they communicate, that opinions expressed via e-mail and other electronic media are their own, not the company's.
IT managers could face prosecution if their corporate networks are used to carry illegal material from the Internet. “The law on online information is the same as offline” [said Philip Virgo from the Institute for the Management of Information Systems]. “Therefore, IT managers, as well as local general managers with service providers, face jail if
their networks are used to put illegal material over the Net. The Internet’s operation is subject to national law that can be very strict.” Virgo said it was important for IT managers to take reasonable precautions, so in the event of a problem they could say they had tried to prevent misuse of their systems.
(Computer Weekly)
ILLEGAL NET TRAFFIC PUTS USERS IN THE DOCK
Misuse of the Internet -
The Issues
Business impact
In the 2000 Information Security Industry Survey sponsored by ICSNet and Global Integrity, 63% of respondents experienced examples of their employees using the company computing resources for illegal or illicit communications or activities, including porn surfing and e-mail harassment.
Although 41% of respondents experiencing misuse of company computing resources did not think that the business suffered any knock-on impact, a substantial percentage did relate the behaviour to damage to the business, as shown in the chart below. (Some respondents identified multiple types of consequences.) It should be noted that this survey does not include the important, but hard to measure, effect on productivity and staff motivation.
Solutions
Businesses should be alert to some of the pitfalls amid all the business potential of the Internet. The good news is that most, if not all of these pitfalls can be avoided by developing and implementing an effective company Acceptable Use Policy, and through the use of proven access control technology.
Controlling access to the Internet is no different to managing other resources like the phone, fax and mobile phone: it is a management issue. There are four stages to ensuring that Internet access is business access:
1.
Building an Acceptable Use Policy (AUP)
2.
Informing and educating the users
3.
Installing appropriate technology to filter and monitor usage
4.
Maintaining the policy
IMPACT OF ILLICIT EMPLOYEE ACTIVITY
18% Lost business to competitors 12% Temporary loss of website 08% Corruption of information 05% Disclosure of information 05% Temporary loss of Internet access 03% Theft of information or service 01% Public harassment or bad PR 48% Other
Misuse of the Internet -
The Issues
The goals of an AUP are:
To clarify the company's policy regarding use of the Internet
To shield the organisation against potential liability
To avoid security threats by promoting awareness and good practice
To encourage effective and positive use of the resources
The following are some things to consider when building an AUP: 1. Make it a team effort
Setting corporate limits on Internet use can be an emotionally charged subject, linked as it is to issues of personal privacy and individual responsibility. For that reason, it's prudent to avoid any hint of "top-down" policy making.
Rather, it will be better if both the articulation of the business needs for an AUP, and the policy itself, are developed by representatives from every part of the business: senior management, information technology, business unit managers, human resources, legal and interested user groups. Keep in mind that Internet access need not be "all or nothing". You can restrict certain services, type of access, time of day, length of connection, etc. exactly as you can for internal network connections. It helps to think of Internet access as a privilege, rather than an inalienable right (although some users are sure to argue otherwise). Encouragement and leadership are more likely to succeed than a policy based on prohibition, but sometimes both are needed in unison.
2. Make it clear
The policy should start by specifying the general principles governing Internet use by employees, both in the course of their business and in other activities. This should be followed by clear conditions of use for individual services. Finally, employees need to understand what the consequences are for non-compliance.
Employees also need to know whether the organisation routinely monitors Internet or e-mail usage and what the consequences are for a breach of the code of conduct. A clear statement of policy is a strong defence against prosecution. You may also wish to seek legal advice to clarify what levels of monitoring are acceptable and legal in the workplace. Some information regarding the legal issues is provided later on in this guide.
"The separation of creation and
implementation of the policy is a
recipe for disaster."
(Gartner Group, Strategic Analysis Report)
HEADLINE
Building an Acceptable Use
Policy (AUP)
3. How much personal use of the Internet is acceptable?
Your policy should be quite explicit about the level of personal surfing that is acceptable. Some organisations, especially those whose business places a premium on creativity, might even encourage employees to roam cyberspace as part of their jobs. Some may choose to limit Internet activity to strictly work-related sites and activities. Others may look for the "happy medium".
4. What about out of hours activity?
Depending on the type and cost of your physical connection, you may decide to allow, and even encourage, appropriate personal use of Internet resources during non-work hours. And you may or may not choose to place restrictions on the content, types of sites visited and specific activities.
But remember, even during off-hours, the sites your employees visit reflect directly on your company's image. (And any well-equipped Webmaster can determine with a reasonably high degree of accuracy where traffic is coming from.) Nor does off-hours usage lessen the company's legal responsibility regarding sexual harassment, misrepresentation and other issues.
5. Some things are better not shared
Now that it's possible to send an e-mail to hundreds of people at the touch of an enter key, you'll want to remind employees at all levels about the importance of protecting valuable company information. Business plans, marketing strategies, sales results, economic projections - any and all of these can be sent literally anywhere with a keystroke. Obviously, some things simply shouldn't be shared. And without encryption, employees have to realise that nothing on the public network is private.
HOW DO COMPANIES LIMIT PERSONAL INTERNET USE?
36% All non-work use prohibited 28% Limited use after business hours 17% Unrestricted personal use any time 13% Limited personal use any time 04% No policy
02% Unresticted use after work hours
Building an Acceptable Use
Policy (AUP)
6. Covering your assets
In general, employers can be held liable for employee actions – because e-mail is a ‘written record’ - it exists as evidence, even after it is believed to have been deleted! Every employee using Internet resources should have a clear understanding of the legal issues involved. These include sexual/racial harassment, libel, copyright infringement, breach of confidence, negligent misstatement, publication of obscene material, data protection, negligent virus transmission, inadvertent formation of contracts, and The Computer Misuse Act or similar legislation.
In all of these cases the key is to have a clear and effective policy that is communicated to all staff. You can never guarantee to prevent exposure to legal charges, but the onus is on the employer to demonstrate reasonable care in preventing such incidences.
7. Make security part of everybody's job description
Even the most secure firewall can be compromised by an employee's accidental disclosure of a password, or - to a determined hacker - even an IP address. The sad truth is that far more security problems are caused by carelessness and inattention than by malicious hacking. Also keep in mind that even the best-intentioned employee can inadvertently bring a network down with a virus retrieved from "off the Net". If you plan to use any type of virus scanning software - and you should - your users should know that their e-mail and outside connections will be scanned as a normal part of network security. On the same subject, it's especially important to hammer home to all users that directly connecting a modem to an outside line is a breach of security far more serious than leaving all the doors unlocked at night.
8. Taking responsibility
Be sure to clearly spell out who is covered by this AUP, whether it is some or all of your employees. If you intend the policy to cover all employees, say so.
Whether the people responsible for enforcing your AUP are in Human Resources or in MIS, be sure that a responsible group or person is appointed and is fully aware of this responsibility. Extend your policy beyond initial guidelines. Develop a process for handling offences within your organisation; for example, what to do in the case of a 1st offence, 2nd offence, 3rd offence, etc. Clearly outline the consequences of non-conformance with your official AUP. It goes without saying that full management support - all the way to the top of the organisation - is essential to implementing a successful AUP. Do whatever it takes to educate senior management on the finer points of your policy. Make sure they set a good example and that you advertise Senior Management’s endorsement of the policy.
27% of Fortune 500 companies have battled harassment claims stemming from employee misuse of email and Internet systems.
HEADLINE
Building an Acceptable Use
Policy (AUP)
9. Enforce it
The AUP should become part of your organisation's overall policy manual. As with other company policies, you'll want to make sure it's readily available, widely disseminated and clearly understood by all. In fact, many organisations require that employees sign the AUP document as a condition of receiving Internet access privileges.
10. Public policy vs. technical details
As well as working on the principles of the
policy, it is important to work out the technical details in line with your current network security for groups and users. Building a policy is like setting up a customs house: you decide what information types you want to allow into the company network and who can access those different types. Think about the file types you are going to allow through, the maximum size of files as well as where they are allowed to come from. Draw up a table to make this clear and apply your rules and exceptions to the users and groups on your network. This will need to be worked out in conjunction with managers and user representatives. It is not necessary to publish all of the details as long as you have the cooperation and agreement from all departments and you agree to review your policy regularly so that it falls in line with changing user requirements.
11. Example e-mail disclaimer
In light of numerous recent litigations you should also consider a disclaimer to be attached at the end of e-mails. An example disclaimer could be:
Image files:bmp, dwg, dxf, fli, gif, pcx, psp, png, tif, etc.
Movie files:avi, mpg, qtm, rt, etc.
Compressed files:arj, cab, cmp, gzip, lzh, tar, rar, zip, etc.
Executable files:dll, exe, com, etc.
Document files:doc, etc.
WHAT SHOULD CROSS YOUR BORDER?
Building an Acceptable Use
This Acceptable Use Policy (AUP) applies to all company staff of this
company and to those others offered access to company resources.
General Principles
Use of the Internet by company employees is permitted and encouraged where such use is suitable for business purposes and supports the goals and objectives of the company and its business units. The Internet is to be used in a manner that is consistent with the company’s standards of business conduct and as part of the normal execution of an employee’s job responsibilities.
Corporate e-mail accounts, Internet IDs and web pages should not be used for anything other than corporate-sanctioned communications.
Use of Internet/intranet and e-mail may be subject to monitoring for security and/or network management reasons. Users may also be subject to limitations on their use of such resources.
The distribution of any information through the Internet, computer-based services, e-mail, and messaging systems is subject to the scrutiny of the company. The company reserves the right to determine the suitability of this information. The use of computing resources is subject to UK law and any illegal use will be dealt with appropriately.
Users shall not:
Internet
Visit Internet sites that contain obscene, hateful or other objectionable materials. Make or post indecent remarks, proposals, or materials on the Internet.
Solicit e-mails that are unrelated to business activities or for personal gain. Send or receive any material that is obscene or defamatory or which is intended to annoy, harass or intimidate another person.
Represent personal opinions as those of the company.
Confidentiality
Upload, download, or otherwise transmit commercial software or any copyrighted materials belonging to parties outside of the company, or the company itself.
Reveal or publicise confidential or proprietary information which includes, but is not limited to: financial information, new business and product ideas, marketing strategies and plans, databases and the information contained therein, customer lists, technical product information, computer software source codes, computer/network access codes, and business relationships.
Send confidential e-mails without suitable encryption.
Security
Download any software or electronic files without implementing virus protection measures that have been approved by the company.
Intentionally interfere with the normal operation of the network, including the propagation of computer viruses and sustained high volume network traffic that substantially hinders others in their use of the network.
Examine, change, or use another person's files, output, or user name for which they do not have explicit authorisation.
General
Perform any other inappropriate uses identified by the network administrator. Waste time on non-company business.
Protect your reputation and career
Follow your organisation’s Internet AUP, or risk disciplinary action and termination of employment. The company also retains the right to report any illegal violations to the appropriate authorities.
94% Agree 04% Disagree 02% Not Sure
Start as you mean to go on
Training should be considered a prerequisite for Internet access, not only in the mechanics of using e-mail and browsers, but in the ethical, legal and security aspects associated with participation in a global public network.
Bad habits die hard
Employees often come with bad Internet habits from college, previous employers or home Internet use. It is therefore vital that everyone understands how the company expects its employees to act over the Internet. This requires continuous training until the culture and expectations within the company change.
Regular updates
You may also want to consider regular company-wide e-mails to remind employees of particular aspects of the policy. Being aware of viruses and how to protect yourself is a key area, but don’t forsake other aspects of the policy that may seem less important but could nevertheless cost the company dearly if unheeded.
Inform
In a PC World Online survey, most respondents agree that their employer has the right to monitor how they use the Internet connection at work - provided they know if the boss is peering over their virtual shoulder. You get better response from users if you inform them of what you are doing.
Informing and Educating Users
MY EMPLOYER HAS THE RIGHT TO MONITOR...
66% Agree 27% Disagree 07% Not Sure
...BUT I SHOULD BE INFORMED FIRST.
Don't let technology dictate your AUP - develop policy first and then find
the right technology to meet your needs. Just about anything you need
to do to implement a workable AUP can be accomplished with existing
technology. In fact, you'll probably find that there are several ways to get
the job done.
Flexible monitoring
Your filtering software should enable you to implement any AUP you choose. Don’t write your policy around constraints of limited tools and what they enable you to do. Select one with the flexibility to help you enforce ‘your’ policy - whatever it is.
You should be able to implement varying levels of filtering restrictions depending on the day of the week or the time of day: for example, it could be more stringent between 8am and 6pm, and more lenient after 6pm and on weekends. You’ll want to look for software that also lets you configure access by user and group; for example, you may want to give top management more access than others, or you may want to set up different levels of filtering for one department compared to another, due to specific job needs.
Complete reporting
Graphs and reports will enable you to know when and how many sites not conforming to your AUP are requested, whether you choose to block them or simply monitor those requests. And once you’ve identified possible problems, you want to be able to track those users more closely and work with them to enforce the policy. So find out how many reports are available, whether you can customise them, and how the reports are distributed, such as by automatic e-mail or an internal website.
Intelligent filtering
The software should include a clear statement of the criteria used to block sites so you can answer any questions that arise internally, and be able to explain what is and isn’t blocked and why. Put the software to the test to ensure that blocked sites are sites that should be blocked, while access is allowed to sites that should not be blocked. Too many filtering packages “throw out the baby with the bathwater”: it’s easier to over-block than to block carefully and accurately, and that may result in the inability to access useful sites. The filtering software should enhance employee productivity, not frustrate users trying to work.
Regular content updates
The Internet grows every hour. Some reports suggest that each day, 10,000 new Web pages come online. You should be able to update frequently - even daily if you choose - to ensure up-to-date protection against newly posted sites.
High scalability and strong performance
The software should be able to handle thousands of users, so you can run the monitoring easily from one location on your network. And it should be able to handle thousands of users without affecting network performance. Investigate supported network topologies, servers, and firewalls to make sure the software will be able to work with your network and handle the number of users.
Reliable support
An established vendor will be there to support you in the future as your company grows. Look for a technically strong, well-respected company with extensive knowledge of the Internet that gives it staying power.
Producing the policy and installing the software is not the end of the matter. Changes occur in staffing, business practice, Internet technology and management expectations, so your policy will need to keep up with these in order to be relevant. You should implement a regular review of the policy. Here are some things to consider in your reviews:
Are new staff being trained adequately, are they being given sufficient information and do they understand the policy?
Are you getting feedback from users and maintaining an open channel of communication? Is your policy or the restrictions preventing anyone from doing company business more efficiently? You will need to consult line managers to find out.
Analyse Web and e-mail activity for new trends that may indicate time spent on non-business activities by large numbers of users.
New e-mail jokes, viruses and new websites come out every month so make sure you are up-to-date restricting these.
Review your e-mail disclaimer. Is it up-to-date and sufficiently protecting the company and its employees?
Maintain your lists of users and groups and ensure they have appropriate security levels. Have any temporary staff left and have you revoked their privileges?
Ensure you are getting regular updates from your anti-virus and filtering software vendor. Check for file types or e-mail attachments that are causing bandwidth bottlenecks. Have there been any incidents that require a change of policy, monitoring or security? Review those areas of your business that require special attention to security. Do employees require different types of access to websites or external e-mails so that you need to change your policy or rules?
Online Resources
Return on Investment Calculator. How much is casual surfing costing your company?
www.surfcontrol.com/resources/roi_calculator.aspx
SurfControl – 5 case studies showing what other companies have done and the benefits obtained
www.surfcontrol.com/resources/business/case_studies/
Gartner - Internet Access Policy: Deterring Abuse (10 Apr 98) Resource ID: 297695 Gartner - Internet Appropriate Use Policy Guidelines (16 Nov 98) Resource ID: 298525
www.gartner.com
Guide to e-mail and Internet use in the workplace (March 99)
www.info-law.com/guide.html
Information Week Online - Web Surfers Beware: Someone's Watching (7 Feb 2000)
www.informationweek.com/bizint/biz772/72bzweb.htm
Nielsen//Netratings - At-work Internet users do double-time online as compared to at-home web surfers (22 Feb 2000)
www.nielsen-netratings.com/press_releases/pr_000222_work.htm
BusinessWeek Online – Workers, Surf at Your Own Risk (12 June 2000)
www.businessweek.com/2000/00_24/b3685257.htm
Internet Watch Foundation – established October 1996 by UK Internet Service Providers to combat criminal content on the Internet and to advise Internet users on how best to restrict access to harmful or offensive content on the Internet generally.
www.iwf.org.uk
Information Commission Website
www.dataprotection.gov.uk