Nearly all organizations now rely upon information technology to do business. Most office-based employees have access to a computer and many have a laptop or PC that is dedicated to their business use but also for their own personal use. Both email and the Internet provide employees with essential tools that enable them to do their jobs. However, technology is also open to abuse.
For many years employers have issued guidelines to their staff relating to the acceptable use of telephones at work. Most companies usually adopt a pragmatic approach and permit reasonable personal use of their telephones, excluding, for example, lengthy or international calls. Others have been more draconian and issued a clear edict that no personal use is permitted whatsoever. With the increased importance and use of email and Web at the workplace, these guidelines are frequently extended to include all areas of information technology, eventually becoming what is commonly called an acceptable use policy (AUP).
AUPs have become far more important than simply ensuring a user isn’t spending their whole working day surfing the Web, exchanging jokes and pictures or chatting with their friends or family. The reliance upon IT and the nature of the data that passes through it is often fundamental to the successful and smooth running of a business or organization. Any compromise or failure of the system has the potential to be catastrophic and can result in anything ranging from the merely irritating or mildly embarrassing to criminal prosecution and a prison sentence for corporate officers.
An effective AUP, especially when used as the basis for an IT security training program for all members of staff, can help ensure productivity while increasing security. As such, a good AUP can be viewed by employers and employees as a positive (rather than restrictive) measure, by providing a guideline that enables the use of technology for everyone without the risks.
The content of an AUP will undoubtedly vary between organizations. Regardless of content, however, M86 Security contends that to be really successful an acceptable use policy must meet the following criteria.
Click through for five tips to ensure your organization has an effective acceptable use policy (AUP) in place, provided by M86 Security.
Many organizations have some sort of AUP written into the terms and conditions of their employment contracts or an associated document. Unfortunately, these tend to be static, non-specific and almost invisible to the end-users, with fewer than half (45 percent) of organizations updating or changing their AUP over the last twelve months.
The Internet has changed dramatically over the last five years and will continue to do so. To be effective, an organization must be willing to review its AUP in order to adapt and address emerging threats, new regulations and changes in use of email and the Internet. A good example of this is YouTube.
For several years, YouTube was considered to be a waste of time as far as businesses were concerned. They didn’t want employees to watch funny clips or music videos all day long. Increasingly, however, many organizations have started to seen the benefits of sites like YouTube. Some now use these sites for training purposes as well as for sales and marketing; thus making the site available to their staff, but amending their AUPs to ensure its usage is not abused.
Any AUP must be flexible enough to meet the requirements of the organization for which it is written. A ‘one-size-fits-all’ approach is rarely sufficient and will either be too restrictive for employees to do their work or too open to abuse. Different departments may well have very different notions of sites that are deemed suitable. Two examples from the public sector are local authorities and hospitals. Most local authorities have social services departments who often need access to harrowing, upsetting and potentially offensive material and images. Employees working in this area will therefore need to be exempt from some areas of the AUP. Likewise, many hospitals have members of staff who live on-site. While an acceptable use policy might restrict them from visiting certain websites during working hours, it is unlikely that the hospital or trust will want to enforce these rules during an employee’s time off.
To be successful, an AUP must be enforceable. This usually requires the installation of security software or hardware that is able to monitor, block and report on any unacceptable use of an organization’s IT infrastructure. In a survey conducted by M86 Security, a quarter (25 percent) of respondents said that their Internet and email acceptable use policy was not actively enforced and over a third (38 percent) stated that they relied upon managerial vigilance alone to enforce the AUP.
The policy should also be enforced in a fair manner, encouraging users to admit mistakes rather than try and cover up something that may have wider implications. Likewise, senior members of staff should not be exempt from the policy. Additionally, the ability to generate detailed reports based upon individual or group activity over a prolonged period of time is vital to enforcing a policy properly.
Employees should be reminded of the AUP and some of the implications of breaking it. Policy breaches, accidental or otherwise, should result in a notification (via email or Web page) to the user telling them what they did, why it was wrong and reminding them that they are being monitored. With increased Web usage in the workplace, it is also a good idea to have a regular reminder displayed in the browser where the user has to acknowledge acceptance of the corporate AUP on a daily, weekly or monthly basis before continuing. Training and educating staff about IT security will also help with visibility and ensure that users understand that the AUP is there as much to protect them from phishing attacks, obscenity and abuse as it is about controlling what they do during working hours as well as protect the organization’s infrastructure.
An AUP is not the responsibility of the IT department alone and the IT team should not be expected to police email and Web usage. Although IT is usually responsible for installing and managing security technology, as well as running reports on users or groups of users as required, the overall responsibility should lie with the entire management team and HR to ensure all departmental requirements are met. Additionally, IT security and any associated policy should be supported at a senior executive level. Board level support will ensure that the AUP is taken seriously and that the threats posed by email and Internet usage are understood properly. Without senior support, an AUP runs the risk of becoming a set of toothless guidelines.
