The internet is essential for doing business. However, it can also be a great way for employees to waste time, cause security issues or give you legal headaches.
A well thought-out internet policy can help you enjoy the benefits of the internet while reducing the pitfalls. It ensures employees use the internet effectively, states what is and is not allowed, and sets up procedures to minimise risks.
This briefing outlines:
- The main elements to include in your internet policy.
- How to implement and enforce this policy.
1 Access rules
1.1 Depending on the nature of your business, you may provide internet access to some or all of your employees.
- In an office environment, it is likely all staff members will need internet access to do their jobs.
- In other situations - such as in a factory - only certain staff members will need internet access.
1.2 Although most of your employees will find using the internet straightforward, you may need to provide training in some areas. For instance:
- How to use specialist software or cloud computing services.
- What your internet policy says and why it matters.
- Spotting and avoiding security risks.
- Efficient use of the internet.
1.3 Make sure employees follow your access procedures.
- Protect your business by using a firewall and security software.
- Consider restricting the ability of employees to change settings.
- Set rules about whether staff may connect their own devices to the company network.
2 Using the internet
2.1 Encourage the use of appropriate online services.
- Allow employees to access websites for business purposes.
- Provide staff with company email addresses for business communications.
- Online tools and apps can help your staff with everything from collaborating to staying focused. Create a list of recommended services.
2.2 Control misuse of the internet. You may decide to:
- Limit personal use (see 3.1).
- Restrict the websites employees can visit (see 3.2).
- Control downloads (see 4).
- Restrict access to sensitive company data.
- Create guidelines covering the use of social networks like Facebook (see 6).
2.3 Ensure employees are aware that they will be held accountable for their use of internet and email systems.
3 Web browsing
3.1 Make it clear that the web should be mainly used for business purposes.
- Some companies ban personal use altogether.
- Some companies allow limited personal use, as long as it does not affect employees’ work.
As the internet has become part of our daily lives, many companies recognise it’s hard to define where business use ends and personal use begins. For example, if your employees sometimes catch up on work over the weekend, it may seem unreasonable to ban them from occasionally using the internet for personal reasons while at work.
However, security and legal issues apply to all internet use.
3.2 Consider restricting the sites that employees can visit.
- Social networking sites are a common time-waster. Some companies ban their use altogether.
- Some websites can be offensive and legally problematic (for example, pornographic or racist sites).
- Bandwidth-hungry sites can slow internet access for everyone else. For instance, file-sharing services.
3.3 Ensure employees are aware of the main risks of the web.
- Phishing websites are fake sites set up to capture sensitve data, like credit card details.
- Cyber-criminals set up ‘honeypot’ websites to steal data or distribute malware, typically promising free software or another attractive offer to lure people in.
Downloading files from the internet involves risks which your policy should aim to minimise.
4.1 Downloaded files may contain viruses, spyware or other malware.
- Install virus-checking software and update it regularly.
- Use security software to block or disable potentially harmful applications.
4.2 Ban employees from downloading inappropriate files, and from installing software.
- All software should be installed by an authorised employee.
- Make sure employees understand the dangers of downloading from unknown sources. For instance, websites offering normally-expensive software for free are likely to be dodgy.
4.3 Make sure employees understand copyright and other intellectual property issues.
- Any information published on the internet will normally be protected by copyright.
- The use of software downloaded from the internet is covered by copyright laws.
- Remind employees that unauthorised copying is a criminal offence.
- Republishing images or content on social media services (like Twitter or Facebook) can also breach copyright law).
It’s a good idea for your internet policy to cover cloud computer services, because use of these services has grown rapidly.
Data protection can be an issue with cloud computing
- Cloud services often require you to upload or transfer company data over the internet.
Make sure employees are aware of the risks of transfering sensitive information.
Employess should only use cloud services approved by the company.
- If your business has decided to take advantage of cloud computing, make sure relevant employees have access to the cloud services you use.
- Do not allow employees to sign up for cloud services independently.
Make it easy for staff to suggest useful cloud computing services.
- Employees who are good with computers may identify cloud services they believe could help your business.
- Make sure you have a clear process for evaluating such services. If you do not, employees may sign up and start using them without your knowledge.
5 Online purchasing
5.1 Make all employees aware of the potential contractual liability arising from online ordering and purchasing.
- Employees should only enter into contracts on the company’s behalf if they have permission to do so.
5.2 Only allow online purchasing from approved suppliers.
- It is a good idea to maintain a list of approved suppliers from which your business purchases.
5.3 Allow online purchasing only by authorised employees.
- Control the company’s account details for approved online suppliers. For instance, have one company account from Amazon, and ensure only your purchasing manager can access it.
- Make sure your policy specifies how a staff member can request a purchase when an item is required.
5.4 Make sure payments are handled securely.
- Before entering any payment details, make sure the website’s address starts with https:// and that the padlock symbol is shown in your web browser.
6 Social networking
6.1 Take particular care with social networking sites and similar services.
Their informal nature may encourage employees to make defamatory comments for which you may be liable.
- If your business operates social networking accounts, make a particular employee (or group of employees) responsible for these.
- Employees should not use social networks to comment on your company or competitors or disclose any business information.
- Clearly define what you consider to be acceptable and unacceptable behaviour.
- Adopt a ‘don’t post it unless you’re sure policy’. Social media backlashes can be created when a company account posts something controversial without thinking through the potential consequences.
6.2 You may want to ban employees from social networks altogether.
- This can be hard to enforce. Even if you block Facebook on company computers, your employees may still access it via their smart phones during working hours.
- It can make more sense to allow reasonable use. For instance, permit employees to access personal social networking accounts during breaks.
- Keep in mind that social networks can be very distracting for employees.
7 Your own website
Use your policy to help make sure your own website runs smoothly.
7.1 Nominate an individual to be responsible for your website.
- Set out how other employees and any contractors will be involved.
7.2 Put appropriate technical standards and controls in place. For example:
- Control how the site is updated.
- Only allow authorised employees to update the site.
7.3 Do not infringe other people’s intellectual property rights.
7.4 Make sure all employees understand their responsibility for the website.
8 Implementing your policy
8.1 Your employees are likely to use the internet frequently outside of work, so it’s more important than ever to consult them on what should be in your policy. Some may even be more familiar with the issues than you are.
8.2 Make the policy available to everyone.
- Make sure employees sign a copy to confirm they have read it.
- Refer to the policy in your employment contracts.
8.3 Consider implementing software to regulate internet use without obstructing legitimate access.
- Filtering software can prevent access to some inappropriate sites.
- However, no filtering software is 100% effective. It can inadvertently block useful sites too.
- You can use filtering software to block certain sites at specific times. For instance, you can prevent employees accessing Facebook during normal working hours.
Ask IT experts what automated solutions could work for you.
8.4 Consider using monitoring software to track how employees use the internet.
- Monitoring software produces a log of the sites each user visits, and any downloads made.
- However, monitoring software generally only provides evidence after problems have occured.
There are legal restrictions on how you may monitor employees’ use of the internet (and email). If you wish to use monitoring software, you must tell employees you intend to do so in your internet policy and your employment contracts.
Also, keep in mind that many of your staff will be internet-savvy. If your use of filtering or monitoring software is heavy-handed, they may resent the implication that they are not able to manage their own internet use.
8.5 Enforce the policy.
- Make someone in your business responsible for enforcing the policy.
- Apply the policy consistently and fairly to everyone, including management staff and leadership teams.
- Clarify and justify any exceptions.
- Make sure you have an appropriate disciplinary procedure in place to deal with breaches of the policy.
Typically, your network administrator will be responsible for routine enforcement. However, a director should take overall responsibility.
The policy will only provide legal protection if it is properly implemented and enforced.