Email and the Internet have revolutionised the workplace and are now integral parts of the typical worker’s daily routine. However, with the explosion of technology there has come a raft of new employee-related problems. These range from time wasted by employees surfing the internet during work hours; misuse of company property by circulating inappropriate emails; harm to the brand as staff post on social networking sites.
Reports estimate that the cost to businesses of IT misuse is in the billions, from the cost in lost productivity to fines from the Information Commissioner for breach of Data Protection through theft of sensitive personal data or carelessness in failing to encrypt or losing data.
There is a great deal that businesses can do internally to meet these challenges. We set out our top tips for beating Internet misuse by employees.
1. Implement an IT policy
The first step is to implement a comprehensive IT inappropriate use policy. This should cover email and internet usage, for example, whether staff can send personal emails from work, the use of social networking sites during work hours and setting out what is inappropriate content of emails and websites.
The policy should be concise, easy to understand and consistent with other policies.
2. Train employees
Training employees is key to successfully implementing a policy and protecting the business. Many employees are (surprisingly) unaware that forwarding on a “harmless” joke via email can have serious legal repercussions for both themselves and the company.
Training employees will raise awareness of the policy and in the use of IT; for example, all employees should know and understand why it is important to keep access to the system secure and what they can do, such as choosing suitable passwords.
Automate security procedures as much as possible. It’s better to have an automatic password change requirement rather than relying on users to remember. Automatic password resets can also help increase security by preventing users from giving their passwords to third parties.
Consider monitoring employee’s emails and Internet usage for compliance with the policy. Periodic monitoring can help reduce fraud and inappropriate usage. However, be aware that employee’s must be aware of what monitoring will take place. This can be done by setting out the monitoring practices in the IT. For privacy reasons, it is preferable if monitoring is automated so far as possible by the use of security technology, as that is less intrusive.
5. Limit access to sensitive information
Be aware of who has access to sensitive information such as personal data. Is this access necessary for their role? A disgruntled employee revealing sensitive information on a website can cause huge reputational and commercial damage. It is important to consider taking legal advice as to how to collect evidence, how to protect third parties such as your customers or suppliers and whether there is a duty to report the leak to the Information Commissioner.
Whenever personal data leaves the company, whether in physical form such as on a lap-top or memory-stick or over email, it should be adequately secure. In most cases this will mean encryption or password protection.
Breaches of the Data Protection Act can lead to fines up to £500,000. One of the main considerations of the Information Commissioner when considering bringing a fine is how secure the information was. ACS:Law has been in the news recently, as it was the victim of a cyber-attack, which lead to the personal details of thousands of internet users alleged to have illegally downloaded material, including pornography, to be leaked online. The Information Commission is questioning how secure the information was and how it was so easily accessed.
7. Lead by Example
IT codes of conduct should apply to everyone equally. Managers and directors should lead by example and not misuse the IT system. In February 2001, a female computer consultant in the UK succeeded in bringing a claim for sexual discrimination and unfair dismissal against her boss and employer, who were IT consultants. She relied heavily on evidence that her boss had regularly forwarded her and others pornographic photos using the company email network.
A policy will not be effective unless employees see that it has teeth. Ensure that breaches of the IT policy lead to disciplinary action. Disciplinary action should be appropriate and proportionate. Ensure that the disciplinary steps outlined in the policy are in keeping with the policy in the employment handbook.
Cybercrime is a fast-growing problem, from pranksters spreading harmful viruses through to professional criminals stealing data for profit. The company must ensure that the system is protected by using appropriate anti-virus software, controlling downloads and setting appropriate levels of security for members of staff, depending upon how much sensitive company information they handle.
Once a policy is established it is critical to conduct periodic audits (e.g. annually) to ensure that the policy accurately reflects the current business practice and procedures. The company should review its policy to ensure it is following its own procedures, address problems and ensure that employees have proper notice of monitoring.
Although the set-up of these procedures may seem onerous, the protection they provide and money they can save certainly make them worthwhile.
For more information or for advice on drafting and implementing an IT policy for your business please contact the Ebiz team.