The importance of an Acceptable Use Policy

The importance of an Acceptable Use Policy

Misuse of the Internet, email and computers in the workplace represents a serious and growing challenge to every Australian business, regardless of size. In addition to potential illegal activity, disclosure of company secrets and introduction of malware, misuse of these systems has a real dollar cost in terms of lost productivity.

To date, the most successful means of combating this has been through monitoring, by a variety of means such as the use of the web monitoring tools on WatchGuard firewalls.

According to a survey by International Data Corp (IDC), 30 to 40% of Internet access is spent on non-work related browsing, and 60% of all online purchases are made during working hours. The data IDC uncovered includes:

  • 70% of all web traffic to Internet pornography sites occurs during the work hours of 9am-5pm.
  • 58% of industrial espionage is perpetrated by current or former employees.
  • 80% of computer crime is committed by "insiders". They manage to steal $100 million by some estimates;
  • $1 billion by others.
  • 48% of large companies blame their worst security breaches on employees.
  • 64% of employees say they use the Internet for personal interest during working hours.
  • 37% of workers say they surf the web constantly at work.
  • 25% of corporate Internet traffic is considered to be "unrelated to work"
  • 30-40% of lost productivity is accounted for by cyber-slacking.
  • 32.6% of workers surf the net with no specific objective; men are twice as likely as women.

The first step towards reducing the misuse of your internet connection by employee’s is to clearly outline what unacceptable activities are.

This comes in the form of an Acceptable Use Policy (AUP).  An AUP serves as guidance for staff and volunteers on the behavior and use of technology that is approved by the organization. The policy should also detail the consequences that company personnel can expect to face for the abuse of this technology.

One of the most important parts of an Acceptable Use Policy is that employers gain prior consent from employees, this means informing employees that they have no right to an expectation of privacy with respect to their use of business computers, email systems and Internet connections.   The best way to do this is to ensure that the policy is distributed to all staff and requiring them signing and acknowledging their understanding of it.

In addition to providing employees throughout the organization with clear definition of the organization's expectations, a properly executed AUP can in some cases serve as a liability shield for the business in the event of misbehavior by an employee.

What should be in an Acceptable Use Policy?

The key goal of an AUP is to eliminate any employee expectations that these means of communication or use of computers, email and the Internet at work are confidential. The policy must be non-discriminatory and it should prohibit all forms of non-business related communications. The policy informs employees that the employer may access, search and monitor voice mail, email or company files of any employee that are created, stored or deleted from company computer systems. The policy must be uniformly enforced through employee education, ongoing monitoring and appropriate discipline. Obtaining prior consent will generally protect employers from liability.

 Ideally an AUP should do the following:

  • Define what systems are covered by the policy, e.g., voice mail, email, Internet, and computer systems and files.
  • Specify that an employer's computer systems are for business purposes only, and all files and messages
  • are company property.
  • If the company chooses to allow some personal use, the policy should caveat this by forbidding personal use that interferes with an employee's work or that of others (e.g., prohibiting non-work related websites
  • such as chat rooms, games, travel, shopping, stock trading, hate/discrimination, pornography, etc.).
  • Specifically ban transmitting or downloading of material that is discriminatory, defamatory, harassing, insulting, offensive, pornographic or obscene.
  • Prohibit copying and sending any confidential or proprietary information, or software that is protected by copyright and other laws protecting intellectual property.
  • Prohibit unauthorised access by employees of other employees' electronic communications.
  • Warn employees that any misuse will be subject to discipline, up to and including termination.
  • Advise and emphasise employees that they have no right to expect that their communications or use of employer's computer information systems is either confidential or private.

In addition to the above, new Australian Privacy laws involving Notifiable Data Breaches come into effect on 22 February 2018. Part of these new laws mean that business must undertake reasonable steps to protect the information held by them from misuse, interference and loss, as well as unauthorised access, modification or disclosure.   Making an Acceptable Use Policy even more important.

If your business does not currently have an Acceptable Use Policy, or your current policy is inadequate then get in touch with FortiTech today, we have developed a standardised Acceptable Use Policy for use in Australian businesses.