More transparency and greater respect for employees would improve the way people view the world...
The internet is essential for doing business. However, it can also be a great way for employees to waste time, cause security issues, or give you legal headaches.
A well-thought-out internet policy helps you enjoy the benefits of the internet while reducing the pitfalls. It ensures employees use the internet effectively, states what is and is not allowed, and sets up procedures to minimise risks.
1. Access rules
You may provide internet access to some or all of your employees
- In an office environment, it is likely all staff members will need internet access to do their jobs.
- In other situations - such as in a factory - only certain staff members will need internet access.
You may need to provide training in some areas
- how to use specialist internet software or cloud computing services;
- what your internet policy says and why it matters;
- spotting and avoiding security risks;
- efficient use of the internet.
Make sure employees follow your access procedures
- Protect your business by using a firewall and security software.
- Consider restricting the ability of employees to change settings.
- Set rules about whether staff may connect their own devices to the company network.
2. Using the internet
Encourage the use of appropriate online services
- Allow employees to access websites for business purposes.
- Provide staff with company email addresses for business communications.
- Online tools and apps can help your staff with everything from collaborating to staying focused. Create a list of recommended services.
Control misuse of the internet
You may decide to:
- limit personal use or restrict the websites employees can visit when web browsing;
- control downloads;
- restrict access to sensitive company data;
- create guidelines covering use of social networks like Facebook.
Make employees aware that they will be held accountable for their internet use
3. Web browsing
Make it clear that the web should be mainly used for business purposes
- Some companies ban personal use altogether.
- Some companies allow limited personal use, as long as it does not affect employees' work.
- Many companies recognise that it is hard to define where business use ends and personal use begins.
- If employees sometimes catch up on work over the weekend, it may seem unreasonable to ban them from occasionally using the internet for personal reasons while at work.
- Security and legal issues apply to all internet use.
Consider restricting the sites that employees can visit
- Social networking sites are a common timewaster. Some companies ban them altogether.
- Some websites can be offensive and legally problematic (for example, pornographic or racist sites).
- Bandwidth-hungry sites can slow internet access for everyone else. For instance, file-sharing services.
Ensure employees are aware of the main risks of the web
- Phishing websites are fake sites set up to capture sensitive data, like credit card details.
- Cyber-criminals set up websites to steal data or distribute malware, typically promising free software or another attractive offer to lure people in.
It's a good idea for your internet policy to cover cloud computing services, because use of these services has grown rapidly.
Data protection can be an issue with cloud computing
- Cloud services often require you to upload or transfer company data over the internet.
- Make sure employees are aware of the risks of transferring sensitive information.
Employees should only use cloud services approved by the company
- If your business has decided to take advantage of cloud computing, make sure relevant employees have access to the cloud services you use.
- Do not allow employees to sign up for cloud services independently.
Make it easy for staff to suggest useful cloud computing services
- Employees who are good with computers may identify cloud services they believe could help your business.
- Make sure you have a clear process for evaluating such services. If you do not, employees may sign up and start using them without your knowledge.
Downloading files from the internet involves risks which your policy should aim to minimise.
Downloaded files may contain viruses, spyware or other malware
- Install virus-checking software and update it regularly.
- Use security software to block or disable potentially harmful applications.
Ban employees from downloading inappropriate files and from installing software
- All software should be installed by an authorised employee.
- Make sure employees understand the dangers of downloading from unknown sources, such as websites offering normally-expensive software for free.
Make sure employees understand copyright and other intellectual property issues
- Any information published on the internet will normally be protected by copyright.
- The use of software downloaded from the internet is covered by copyright laws.
- Remind employees that unauthorised copying is a criminal offence.
- Republishing images or content on social media services (like Twitter or Facebook) can also breach copyright law.
5. Online purchasing
Make all employees aware of the potential contractual liability from online ordering
- Employees should only enter into contracts on the company's behalf if they have permission to do so.
Allow online purchasing only from approved suppliers
- It is a good idea to maintain a list of approved suppliers from which your business purchases.
Allow online purchasing only by authorised employees
- Control the company's account details for approved online suppliers. For instance, have one company account from Amazon, and ensure only your purchasing manager can access it.
- Make sure your policy specifies how a staff member can request a purchase when an item is required.
Make sure payments are handled securely
- Before entering any payment details, make sure the website's address starts with https:// and that the padlock symbol is shown in your web browser.
6. Social networking
Take particular care with social networking sites and similar services
- Their informal nature may encourage employees to make defamatory comments for which you may be liable.
- If your business operates social networking accounts, make a particular employee (or group of employees) responsible for these.
- Employees should not use social networks to comment on your company or competitors or disclose any business information.
- Clearly define what you consider to be acceptable and unacceptable behaviour.
- Adopt a 'don't post it unless you're sure' policy. Social media backlashes can be created when a company account posts something controversial without thinking through the potential consequences.
You may want to ban employees from social networks altogether
- This can be hard to enforce. Even if you block Facebook on company computers, your employees may still access it via their smartphones during working hours.
- It can make more sense to allow reasonable use. For instance, permit employees to access personal social networking accounts during breaks.
- Keep in mind that social networks can be very distracting for employees.
Consider creating a separate social media policy to help staff understand the issues
7. Your own website
Use your policy to help make sure your own website runs smoothly.
Nominate an individual to be responsible for your website
- Set out how other employees and any contractors will be involved.
Put appropriate technical standards and controls in place
- control how the site is updated;
- only allow authorised employees to update the site.
Do not infringe other people's intellectual property rights
Make sure all employees understand their responsibility for the website
- Let employees know if they are responsible for keeping any material up to date.
- Make this a performance review issue.
- Encourage all staff to be aware what information is carried on the site and what services are offered.
8. Implementing your policy
Consult employees on what should be in your policy
- Your employees are likely to use the internet frequently outside of work. Some may even be more familiar with the issues than you are.
Make the policy available to everyone
- Make sure employees sign a copy to confirm they have read it.
- Refer to the policy in your employment contracts.
Consider implementing software to regulate internet use
- Filtering software can prevent access to some inappropriate sites. However, no filtering software is 100% effective. It can inadvertently block useful sites too.
- You can use filtering software to block certain sites at specific times. For instance, you can prevent employees accessing Facebook during normal working hours.
Consider using monitoring software to track how employees use the internet
- Monitoring software produces a log of the sites each user visits, and any downloads made. However, monitoring software generally only provides evidence after problems have occurred.
- There are legal restrictions on how you may monitor employees' use of the internet (and email). If you wish to use monitoring software, you must tell employees you intend to do so in your internet policy and your employment contracts.
- Keep in mind that many of your staff will be internet-savvy. If your use of filtering or monitoring software is heavy-handed, they may resent the implication that they are not able to manage their own internet use.
Enforce the policy
- Make someone in your business responsible for enforcing the policy. Typically, your network administrator will be responsible for routine enforcement. However, a director should take overall responsibility.
- Apply the policy consistently and fairly to everyone, including management staff and leadership teams.
- Clarify and justify any exceptions.
- Make sure you have an appropriate disciplinary procedure in place to deal with breaches of the policy.
- The policy will only provide legal protection if it is properly implemented and enforced.
- Read guidance on staff policies or download a sample acceptable usage policy from Get Safe Online.
- Read social media guidance from Acas.