Putting a Fair Internet Use Policy in Place

More than half of employees who have Internet access at work say they will shop for holiday gifts from the office, according to a November poll conducted for Shop.org, a division of the National Retail Federation.While online shopping may be more efficient than braving the crowds at lunch hour, employee shopping can compromise both security and productivity, says David Kelleher of GFI Software, which sells remote monitoring and management software primarily to small and medium firms.He spoke recently about this topic with Smart Answers columnist Karen E. Klein. Edited excerpts of their conversation follow. This time of year particularly, lots of employees are conducting personal business online at work. What are the issues raised by this for small business owners?
There are two issues that the employer has to be aware of. The first is security and the second is productivity. These days, everybody's on Facebook and LinkedIn, and they may have MySpace (NWS) accounts as well. So your employees come into work, turn on their computers, and spend the first 10 or 15 minutes looking at news sites, updating their profiles, and checking what their 200 or so friends have been doing the previous evening. Hard-working employees may be doing this on their lunch hours, but some of them are spending as much time as possible online, maybe looking at all the fantastic offers this holiday season. How much work time are employers losing?
If you have eight out of 50 employees spending an hour a day wasting time online and you factor in how much a work hour costs that business, and factor it in over a long period of time, the cost for the employer can be considerable. The other cost comes from providing bandwidth, which is quite expensive particularly for small and medium businesses. The last thing you want is your employee going on YouTube (GOOG) and watching videos, or downloading something from iTunes, slowing down your network. What security risks do employers face from employees' online activity?
There are real security problems and many, many threats, not only from e-mail but also from Web browsing. Your employee could be browsing online, come across a link, click on it, and download a little file. That's how some piece of malware finds it way onto their machine and from there it gets into all the machines on the network. Are small business owners aware of these risks?
Very few. According to a recent GFI survey of small and medium businesses, only 9% said they were concerned about internal threats and only 36% said they monitor employees' browsing activity. Aren't these online scams pretty easy to spot?
Unfortunately people fall for them all the time. Your employee is using the technology and you can't sit down next to them all the time and say, "Don't touch that!" It's impossible. For instance, recently some bad guys created a fake Web site for the new Twilight film, New Moon. When somebody does a search for that movie, various links come up, including one that promised to show the full movie for free online. When users clicked on that link, they were asked to download a viewer to see the video. It turned out that download was a Trojan—self-replicating malware. What can employers do?
Every organization should install basic anti-virus software, not only for their desktop computers but also programs that scan Web traffic. Your employee may be browsing a genuine Web site that has been hijacked and while there they could be downloading an unauthorized program without knowing it. If your Web traffic is being scanned, that unauthorized download would be detected. Second, all your computers should be automatically updated with the latest software patches and security updates. How important is employee education in this area?
Employee awareness is the weakest link. Most companies say, "Do not do this," but they don't explain why. So, the employees say, "I'm going to still do what I want to do." If you explain to employees that they may receive e-mail that looks like it's a genuine message from their bank, and explain what the repercussions of clicking on that link is, then they're far more likely to follow the policy. Some companies don't allow Internet access at work and others don't set a policy at all. Is it difficult to strike the proper balance?
Yes. If you're draconian and you shut off everything, you wind up with disgruntled employees who could get very angry and harm your organization. You want to be fair and allow people to use the Internet to check their e-mail or update their social networks before work or on their breaks. As long as you pay attention to what is going on and help your employees do their work better, that's the balance. What's the best way to inform employees about the policy?
Employers should develop an acceptable-use policy that the employee signs when they join the organization. Let them know in detail what they can do online, and what is a no-go. Inform them that the company has a policy to monitor all Internet activity for security purposes and to make sure that employee's actions don't cause harm to the employees or the organization. But employers should not let it drop after that. Continue to promote ongoing awareness in newsletters and periodic workshops, identifying the most recent security threats and how individuals are being targeted. Do that and your employees will be aware and educated on this subject. Your firm sells online monitoring software that tracks what employees do online. Is there a deterrent factor for employees, just knowing they're being monitored?
Not really. For instance, we have Internet monitoring but it's not something that I think of when I come in and check a Web site. Those doing their jobs and checking a couple of Web sites for five or 10 minutes every now and then are no problem. The people who have reason to fear are those who are wasting an hour or more on cybershopping or downloading games. The software issues usage reports that allow the company to identify slackers and limit their Internet access. What should be done along with limiting or restricting those employees' Internet access?
They have to be told off in a proper manner, so they understand that if they don't toe the line and follow company policy, steps can be taken against them. Using monitoring software is also very, very important in the event that the employee needs to be dismissed for illegal or inappropriate Internet browsing. If your company has told them they can't do this and you have a report showing they've violated the policy, your HR department has a very strong hand if it needs to take legal action or dismiss them.

To continue reading this article you must be a Bloomberg Professional Service Subscriber.