Essential guide to creating an internet policy for your employees

Accessing the internet from a laptop and via a mobile device

Access to the internet is essential for doing business, but if it’s not controlled it can cause issues that could affect your business and expose you to online threats.

A clear and comprehensive internet policy ensures everyone can enjoy the benefits of the internet while reducing the risks. An internet policy sets expectations and establishes boundaries that maximize productivity while minimizing risks.

Internet access rules

Using the internet

Web browsing

Downloads

Online purchasing

Social networking

Implementing your policy

1. Internet access rules

Internet access should be provided to everyone who needs it to perform their job

  • Everyone in an office is likely to need internet access to do their jobs.
  • In other situations - such as in a factory - only certain staff members will need internet access.

You may need to provide training in some areas to help people use the internet appropriately at work

Staff may need training and support to use the internet safely, including:

  • how to use specialist internet software or cloud computing services;
  • what your internet policy says and why it matters;
  • spotting and avoiding security risks;
  • efficient use of the internet.

Make sure employees follow your internet access procedures

  • Protect your business by using a firewall and anti-virus software.
  • Consider restricting the ability of employees to change settings.
  • Decide whether staff can devices to the company network and provide guidance.

2. Using the internet

Encourage staff to only access the websites and online platforms they need to perform their roles

  • Allow employees to access the websites they need for business purposes.
  • Provide staff with company email addresses for business communications.
  • Online tools and apps can help your staff with everything from collaborating to staying focused. Create a list of acceptable online platforms and software.

Control misuse of the internet

You may decide to:

  • limit personal use or restrict the websites employees can visit when web browsing;
  • limit and control downloads;
  • restrict access to sensitive company data;
  • create guidelines covering use of social networks such as Facebook.

Make employees aware that they will be held accountable for their internet use and that it will be regularly reviewed

3. Web browsing

All stuff must know that the internet should primarily be used for business purposes

  • Some companies ban personal use altogether, although this can be hard to enforce.
  • Some companies allow limited personal use as long as it doesn't affect employees' work.
  • Many companies recognise that it is hard to define where business use ends and personal use begins.
  • If employees sometimes catch up on work over the weekend, it may seem unreasonable to ban them from occasionally using the internet for personal reasons while at work.
  • Security and legal restrictions apply to all internet use.

Consider restricting the sites that employees can visit

  • Social networking sites such as Facebook, Twitter and Instagram are unlikely to be essential to work. Some companies ban them altogether.
  • Some websites are unacceptable at all times, including gambling sites, file-sharing sites, pornography, and those sharing offensive material.
  • Bandwidth-hungry sites can slow internet access for everyone else. Consider limiting when staff use resource-hungry sites such as file-sharing sites.

Ensure employees are aware of the main online risks

  • Phishing websites are fake sites set up to capture sensitive data, like credit card details.
  • Cyber-criminals set up websites to steal data or distribute malware, typically promising free software or another attractive offer to lure people in.
  • It can be difficult to tell the difference between genuine and fake websites, so ensure all staff remain vigilant.
  • Provide clear guidance to all staff on reporting suspicious activity, encouraging them to tell someone in authority if they have clicked a suspicious link or accessed a potentially dangerous website.

Cloud computing

Your internet policy must cover cloud computing services.

Data protection, including where data is stored, is an important consideration in cloud computing

  • Cloud services involve uploading and transferring company data over the internet.
  • Your connection needs to be secure and protected.
  • Make sure employees are aware of the risks of transferring sensitive information.

Employees should only use cloud services approved by the company

  • Limit employees' access only to the cloud services they need to perform their roles.
  • Do not allow employees to sign up for cloud services independently.
  • Explain the importance of protecting files and never sharing them or uploading them to personal cloud storage platforms.

4. Downloads

Downloading files from the internet is risky and should be restricted as far as possible. Provide staff with clear guidance on how to spot threats and stay safe online

Online files may contain viruses, spyware or other malware

  • Install virus-checking software and update it regularly.
  • Use security software to block or disable potentially harmful applications.
  • Help employees spot potentially dangerous attachments and encourage them to ask for advice from an IT professional before opening suspicious atttachments.

Ban employees from downloading inappropriate files and from installing software

  • All software should be installed by authorised employees.
  • Make sure employees understand the dangers of downloading from unknown sources, such as websites offering normally-expensive software for free.
  • Ensure your licenses cover professional use.

Make sure employees understand copyright and other intellectual property issues

  • Any information published on the internet will normally be protected by copyright.
  • The use of software downloaded from the internet is covered by copyright laws.
  • Remind employees that unauthorised copying and sharing of images, films, music and written content is a criminal offence.
  • Republishing images or content on social media services (like Twitter or Facebook) can also breach copyright law.

5. Online purchasing

Make all employees aware of the potential contractual liability from online ordering

  • Employees should only enter into contracts on the company's behalf if they have permission to do so.

Allow online purchasing only from approved suppliers

  • Maintain a list of approved suppliers that your employees can use to purchase goods and services.

Allow online purchasing only by authorised employees

  • Control the company's account details for approved online suppliers. For instance, have one company account from Amazon, and ensure only your purchasing manager can access it.
  • Make sure your policy specifies how a staff member can request a purchase when an item is required.

Make sure payments are handled securely

  • Before entering any payment details, make sure the website's address starts with https:// and that the padlock symbol is shown in your web browser (known as an SSL certificate).

6. Social networking

Ensure that staff are particularly careful when communicating on social networking sites

  • The informal nature of social media may encourage employees to make inappropriate defamatory comments which may affect your reputation and, in some cases, cause legal issues.
  • If your business operates social networking accounts, make a particular employee (or group of employees) responsible for these.
  • Employees should not use social networks to comment on your company or competitors or disclose any business information.
  • Clearly define what you consider to be acceptable and unacceptable behaviour.
  • Adopt a 'don't post it unless you're sure' policy. Social media backlashes can be created when a company account posts something controversial without thinking through the potential consequences.

You may want to ban employees from social networks altogether

  • This can be hard to enforce. Even if you block Facebook on company computers, your employees may still access it via their smartphones during working hours.
  • It can make more sense to allow reasonable use. For instance, permit employees to access personal social networking accounts during breaks.
  • Social networks can be very distracting for employees, so ask employees to use discretion and empower managers to enforce limits.

Consider creating a separate social media policy to help staff understand the issues involved in using networking sites

7. Implementing your policy

Consult employees on what should be in your policy

  • Your employees are likely to use the internet frequently outside of work. Some may even be more familiar with the issues than you and have experience you can use to inform your policy.

Make the policy available to everyone

  • Make sure employees sign a copy to confirm they have read it, asking for a signature to prove so.
  • Refer to the policy in your employment contracts.

Consider implementing software to regulate internet use

  • Filtering software can prevent access to some inappropriate sites. However, no filtering software is 100% effective. It can inadvertently block useful sites too.
  • You can use filtering software to block certain sites at specific times. For instance, you can prevent employees accessing Facebook during core working hours.

Consider using monitoring software to track how employees use the internet

  • Monitoring software produces a log of the sites each user visits, and any downloads made. However, monitoring software generally only provides evidence after problems have occurred.
  • There are legal restrictions on how you may monitor employees' use of the internet (and email). If you wish to use monitoring software, you must tell employees you intend to do so in your internet policy and your employment contracts.
  • Your staff will be internet-savvy. If your use of filtering or monitoring software is heavy-handed, they may resent the implication that they are not able to manage their own internet use.

Enforce the policy

  • Make someone in your business responsible for enforcing the policy. Typically, your network administrator will be responsible for routine enforcement. However, a director should take overall responsibility.
  • Apply the policy consistently and fairly to everyone, including management staff and leadership teams.
  • Clarify and justify any exceptions.
  • Make sure you have an appropriate disciplinary procedure in place to deal with breaches of the policy.
  • The policy will only provide legal protection if it is properly implemented and enforced.

Signpost

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.