The Internet is an essential tool for most businesses. However, allowing your employees unrestricted access to it poses a number of security and business risks.
It takes only one employee to mistakenly download and install software infected by a virus for your entire network to be affected by it. Additionally, it could be your business that is liable if an employee accidentally or deliberately accesses illegal content. Overuse by employees for personal use (such as checking personal social media accounts) could reduce productivity.
More serious risks include:
obtaining and redistributing copyrighted material such as music or films
transmitting valuable or sensitive business information without encryption
distributing or relaying offensive or abusive material via email
generating junk email, or spam, via mass mailings
accessing or downloading pornography or other offensive material
libelling or defaming colleagues, or even external business contacts, via email
using the Internet to commit fraud or other illegal acts
Policies set expectations in advance about employee behaviour. They also provide a standard against which you can gain recourse - if you don't tell employees that they cannot download films at work, your options are limited if they do.
An Internet and communications policy written in plain language goes a long way when defending legal action. It can also help:
ensure that communications resources are managed efficiently and productively
protect the business from potentially damaging material being sent or received via the Internet or email
Internet usage policy
You should decide whether to allow your staff to access the Internet from work in their own time for personal use.
Many businesses allow access as a goodwill gesture to improve employee relations, and because completely restricting access is difficult.
However, if you do grant permission, you should think about an Internet acceptable use policy (IAUP). The IAUP should set out the terms and conditions for staff accessing the Internet from their workplace. It should contain:
a definition of personal use (anything not directly related to work)
guidance on how much access time is acceptable and when access is allowed
a warning to abide by any copyright and licensing restrictions on Internet-sourced material
instructions on what to do before downloading material
warnings on the danger of importing viruses through downloaded files and programs
what personal use is not permitted
any sanctions or disciplinary actions that may be taken if employees do not follow the policy guidelines
Unless you explicitly state what is not acceptable, you will risk an unfair dismissal claim if you dismiss staff who access unsuitable material. Further, remind staff that access to the Internet is a privilege and not a right.
You must tell staff that their access may be monitored if you intend to do so.
Email usage policy
Email should be treated as a professional method of correspondence, and not for personal use.
Provide your staff with guidance in the form of an email acceptable use policy (EAUP), which should outline:
what shouldn't be circulated on the company email system, including any offensive, indecent or obscene material, or anything likely to cause offence on grounds of sex, sexual orientation, race, disability, age, religion or belief
what can be construed as inappropriate, discriminatory or libellous content
rules for sending confidential business information via email - e.g. using encryption software to prevent unauthorised people accessing it
what you consider to be appropriate email etiquette, such as terms of address and sign-off, and the need to be formal and businesslike in all communications
how attachments should be handled
how much personal email use is acceptable
how the laws governing data protection, e-commerce and email marketing affect your business
guidance on saving, filing and photocopying emails for company records
Employees should also be informed that emails they send can be recovered even after deletion. You should also let them know what email monitoring may be carried out.
Developing personal Internet and email usage policies
You need to decide how much your staff will be allowed to use your network resources to access the Internet or use email. Totally forbidding personal Internet access and email can reduce goodwill, and damage your organisation as much as allowing staff to have a totally free rein. The ideal solution is a middle ground, where both the employee and the employer benefit.
The best way of developing your own Internet acceptable usage policy and email acceptable usage policy is to build a consensus based on sensible and reasonable compromises. Start by asking your staff and find out what they want. Discussing your IAUP and EAUP with your staff may encourage their co-operation, and minimise resentment of monitoring or usage restriction.
Dealing with Internet and email policy breaches
Humans have a tendency to bend rules and regulations. Deal with such matters promptly to ensure best employee relations. Consider what is inappropriate in the context of your policies. Is spending two minutes checking the weather on a Friday afternoon worthy of disciplinary action? Perhaps not, but if the employee spends half an hour checking the weather and the news outside of a break time, consider taking action.
Ensure your policy includes warnings informing that:
access to Internet and email facilities may be withdrawn at any time as a result of, or pending the outcome of, investigations into suspected misuse
any rules you have about conduct and behaviour apply equally when using Internet or email facilities
users might be personally liable to prosecution, and open to claims for damages, if their actions are found to be in breach of the law. If a user is accused of harassment, claiming they did not intend to harass or cause offence will not constitute an acceptable defence
employees using the business' IT systems to store or pass on pornography, or any other material that could cause offence or injury, will face serious disciplinary action and possible dismissal - whether or not they are prosecuted or convicted
Internet and email policies should state clearly what sort of penalties or sanctions any breaches of the rules will attract, so that employees fully understand the consequences of their actions.