Internet security policies for businesses

Tuesday 3 January, 2012

By Duncan Heaney - duncan@consumerchoices.co.uk

We take a look at internet and email usage policies and explain why it’s crucial that employees follow your rules online.

The internet’s great isn’t it? It’s certainly revolutionised the business world - all that information, and all those communication tools, right at your fingertips allow even the smallest business to compete in a global marketplace.

Of course, all that information is at your employees’ fingertips too, and that can be a problem. With the internet comes all manner of security threats, from computer viruses, to the risk of sensitive information being leaked. And then there are the distractions - the likes of Facebook, YouTube and the endless adorable animal photos. With all the irreverent content out there, it’s amazing people do any work.

But what can you do? You can’t look over your employees’ shoulders all day while they work. Well, you could, but that would be more distracting than anything the web has to offer. Instead, you need to set rules around internet and email use, and make sure your employees understand them, and the consequences of not following them. You need to create and distribute official policies.

In this guide, we’ll take a look at internet and email usage policies, and some of the areas we think they should cover.

Defining your internet policy

All businesses, big or small, should develop an official internet policy to help employees understand online security issues and the kind of browsing behaviour that’s acceptable. These policies are often referred to as fair or acceptable use policies (AUPs), and there are a few things you should consider when deciding what to include:

Personal time - It’s a good idea to give your staff some time to use the net for their own individual reasons, such as checking personal email. It helps keep them motivated and, to be honest, most will use it for their own purposes regardless of what you write in your policy. As the employer, you can decide when it’s acceptable for people to use the internet as they want, but you should lay out clear guidelines to prevent ambiguities and rule bending. The lunch hour or before/after the working day are two obvious examples.

Appropriate material - There are some things online you probably don’t want employees looking at. Obviously, sites that contain obscene, hateful, pornographic or illegal content should be banned faster than an all-nude edition of the Weakest Link.

You’re within your rights to also block other sites if you feel they’re disruptive in some way too. Many small businesses block social media, for example. Facebook is the most-blocked site in the world - presumably companies would rather employees were working than chatting to their mates or tending to virtual crops - with video-sharing site YouTube a close second.

Software - It’s rarely a good idea to let employees download and install software willy-nilly. Programs downloaded from the web could contain viruses or be incompatible with the software you already use. If you want to let employees download things like Apple iTunes you can, but it’s best to make sure you - or the person on charge of the computers in your company - remain in control at all times.

Confidential information - Sensitive data should be treated with reverence, and kept completely secure. Employees need to know that sharing confidential information could result in them being disciplined - or even losing their job - before they can say “whoops, I shouldn’t have done that”.

Piracy - Your policy should make it clear that using the IT system to download or share copyrighted files - music tracks, for example - is not permitted. You should also make it clear that the consequences of illegal file sharing could be far more severe than a gentle slap on the wrist.

Monitoring - If you want to maintain tight control over your IT systems, you can monitor employees’ internet and email usage. If you do this, then your official policy should unambiguously state your cyber-stalking intentions, and also detail how you plan to go about it. The only time you’d be legally in a position to secretly monitor an employee’s email and internet use is when you suspect that they’re up to something criminal - not just violating company policy.

Defining your email policy

Email has become a primary communication channel between most businesses and their customers. The emails that you send will directly influence how people perceive your business, so it’s important to define how the tool should be used.

An email policy helps keep messages consistent and ensure employees are educated about the correct ways to use it. Here are some of the key areas your email policy should take into account:

Email style - It’s up to you what tone you want your emails to have. Some businesses like to maintain a tight, professional voice, while others find a more informal approach to be appropriate. Regardless of your choice, always remember that your emails reflect your company. As such, your email policy should lay out some best practice techniques to ensure all external messages are clearly written, respectful and free from spelling and grammatical errors.

Response times - There’s nothing more irritating than having your email ignored (well, maybe Jeremy Clarkson), so it’s helpful to define an acceptable timeframe in which emails should be answered - for example, within 24 hours of receipt. This is particularly important if you work in a service industry that demands high-quality customer service.

Inappropriate content - Your email policy should state outright that the email system is not to be used to either create or view discriminatory, obscene or other offensive types of content. Inappropriate material could also include discussion of competitors, employees, and other individuals. If an employee is offended by the contents of a colleague’s email, your policy should spell out a procedure for dealing with the matter - who that employee should talk to and what can be done.

Personal email - Some businesses allow employees to use a work email account for personal business, others do not. If you accept personal email use, it’s useful to remind employees not to open unrecognised attachments, or view offensive content on office computers.

Monitoring - As with your internet policy, any monitoring of employee activity must be disclosed. Employees should be aware that any email they write or receive could be viewed at any time by the people in charge.

Conclusion

Hopefully this guide’s given you some ideas as to what to cover when you’re putting together your internet and email use policies. If possible, it’s a good idea to work with an HR expert or employment lawyer, to ensure you get the wording and format exactly right. In addition, there is lots of useful information, including sample policies, on the government’s Business Link website.

It’s also important to remember that technology moves faster than a greased cheetah these days, so policies need to be reviewed at least annually to ensure they’re still fit for purpose.