The use of computers in the workplace is almost essential in today’s business. They enable people to accomplish a great deal of work rapidly, communicate easily, and collaborate of projects seamlessly. Computers and the Internet provide immense resources for productivity, creativity, and knowledge. Unfortunately, technology also introduces significant risk to business.
IT resources can allow the exfiltration of valuable and sensitive information out of your organization. Careless employees with access to a computer can visit untrustworthy websites and download potentially dangerous software. Even email and company social media accounts can be used to harass people and make fraudulent claims or promises. Employees with unrestricted Internet access could gain access to child pornography, or even conduct illegal transactions for controlled substances using company computers.
These sorts of activities occur every day in workplaces around the world. In some cases, the employers might be held liable. It is generally held that employers are responsible for the actions of their employees in the course of their employment, even if they deviate slightly from their expected responsibilities and duties. Because of this, it is important for organizations to take actions to reduce risk and limit their liability for the unauthorized actions of their employees.
Acceptable use
An acceptable use policy is essentially a statement as to what constitutes authorized usage of IT resources. It should address what employees are and are not allowed to do on their computers, both locally and while using network resources such as file storage and the Internet. An acceptable use policy should attempt to address actions that are explicitly not authorized as well as the related ramifications for an employee who engages in those unauthorized actions.
This serves as an agreement between the organization and the employee. It is one where by using the company’s computer resources, the employee consents to the policy and agrees to abide by it. On the other hand, the company agrees to stand behind their employees who conduct themselves in accordance with this policy.
Limiting liability
By defining how employees are and are not authorized to use IT resources, companies can establish clear boundaries around what constitutes actions that fall within the scope their employees’ duties. In explicitly stating that certain actions are not authorized, an organization makes individuals personally liable for those actions and limits its own potential for liability.
Improved network security
Acceptable use policies also have the benefit of reducing the frequency of malware incidents. By establishing clear limitations on what types of websites employees are and are not allowed to visit, and by communicating the consequences of violating these limitations, organizations will likely find that fewer employees are visiting untrustworthy websites and therefore are introducing fewer malicious applications to their systems.
An acceptable use policy will likely only result in a minor reduction of incidents, when used alone. But if it is paired with a web proxy that has been configured to enforce the standards established in the acceptable use policy, violations can be reduced to only those users who are specifically intent on side-stepping policy and occasional accidents where the proxy failed to properly identify a malicious site.
Improved productivity
Many organizations will agree that by allowing their employees to use IT resources for personal purposes increases morale. But it is no secret that people in the workplace with access to a computer will find ways to use it that will make them wholly unproductive in their jobs. Activities such as online shopping, reading the news, and checking social media accounts can easily eat up several hours of an employee’s work day.
Acceptable use policies can be used to establish guidelines and limitations for how and when employees are allowed to utilize company IT resources for personal purposes. By limiting personal usage of the Internet and other IT resources to break times, the company can minimize distractions and help keep employees focused on their work.
Employee monitoring
The First and Fourth Amendments to the U.S. Constitution provide certain protections to private citizens for freedom of speech and against monitoring. In the workplace, employees of private companies do not generally maintain these rights. An employer can monitor just about anything their employees do while on the job, as long as the employer respects state and local laws on the matter. This includes Internet activities, social media, and email communications if the activities involve use of company IT resources. It is worth noting that organizations should avoid targeting individual employees, but rather stick to broadly monitoring network traffic.
Acceptable use policies are a mechanism that can be used by an organization to specify what monitoring activities the organization engages in and provide the employee the opportunity to consent to that monitoring. Companies can monitor the flow of information through their networks to detect malicious traffic and enforce adherence to policy. Automated tools are available to scan emails for explicitly restricted information being transmitted out of the organization, such as social security numbers and other personally identifiable information. Even firewall and proxy logs can identify activities that violate acceptable use policy guidelines such as visits to unauthorized websites and using unauthorized software.