ITWalesSoftware Alliance WalesStudent PlacementsTechnocampsComputer Science
 

Web use and misuse

web use image

Where do you draw the line? Is it okay to send the occasional personal email at work? What about a little internet shopping? But what about spending time on social networking sites, playing online games, downloading pirated movies and music, reading and sending inappropriate emails, gambling online or downloading porn? The internet has created new opportunities for mischief and new challenges for managers.




Worldwide worries

Three out of four employers have had to deal with employees who waste time online, according to a recent survey by Employment Review magazine. Companies had problems with employees misusing email, blogs and damaging comments about the company posted online. A large proportion of corporate web traffic is for non-work purposes: gambling, music downloads, porn and people checking their personal webmail accounts. More than two-thirds of online porn traffic occurs during office hours.

Web misuse can have serious implications for your business:

  • Reduced productivity - If employees spend their time on a social networking site such as Facebook, they’re not spending it doing their job. Even unwanted popup adverts which are very common online can distract and annoy users
  • Security problems - Malware hides on websites and can install itself as users browse infected pages. MessageLabs Intelligence reports that the number of new, malicious websites blocked each day by MessageLabs nearly doubled 91 percent in just one month with 3,968 new sites intercepted daily
  • Legal risks - When users download inappropriate or offensive material to their computers, they can contribute to a hostile environment for their colleagues. This can create legal liabilities for managers. Employees who feel harassed by this kind of material can resign and claim constructive dismissal. Damages awards in discrimination claims are potentially unlimited and several high-profile cases have hinged on sexist emails and public displays of pornography
  • Wasted bandwidth - Internet connections cost money. If half your bandwidth is taken up with non-work traffic, you’re paying twice as much as you need to, or your business-critical communications are running at half their proper speed
  • Unlicensed software - When users download and install software from the internet, they create a legal risk. Software piracy is illegal. If an organisation uses illegal copies of software, it may face a civil suit and company directors risk criminal penalties including unlimited fines and up to ten years in prison
  • Reputation risk - Social networking can create opportunities for employees to leak confidential information or spread damaging rumours online. Bad behaviour by a single employee can reflect on the reputation of the whole organisation

Blocking non business internet access

In the face of all these problems, most managers’ first reaction is to block all employee access to the internet. According to an Employment Review survey, all respondents tried to ban access to porn sites. Other categories received different treatment: gambling sites were banned by 88 percent, game sites by 76 percent, social networking sites by 59 percent and online shopping sites by only 51 percent.

It makes sense to block certain sites outright. Porn sites are an obvious example, but most companies may also consider gambling and game sites as utterly unrelated to work, potentially time-wasting and so block them too. However, you might want to allow employees to access social networking sites if it means that they can organise their social life without spending hours on the phone. You might also allow people to shop online if it saves them time and lets them achieve a better work-life balance.

Companies may also need to calibrate their policies to younger employees’ expectations. For example, Computing reports that half of today’s students would reject a university that banned instant messaging. Would they also reject an employer who banned social networking? Indeed, many companies are making good use of sites such as Facebook for recruitment, PR and marketing. What works in some companies does not work for others. It’s a question of judgment.


Monitoring employee behaviour online

web image 2 Monitoring inappropriate use may seem to be the lesser of two evils compared with blocking access to large parts of the internet but in most cases blocking and monitoring go hand in hand. Having blocked the worst websites, you may wish to trust your employees’ judgement and rely on monitoring for enforcement.

Some people find the concept of monitoring uncomfortable - for good reason. The internet may be the home of free speech whether you agree with it all or not, but it is also a source of inspiration and creativity. One person’s waste of time may be another person’s breakthrough.

Monitoring employee behaviour must be lawful and fair. The law is very specific about what you can and can’t do. It is possible to track how people use the internet - the sites they visit and how long they spend there - but it may not be legal. In addition, you may not feel comfortable with the ’Big Brother’ aspect. Certainly, employees have a reasonable expectation of privacy in the workplace, especially for their personal communications. To put it another way, how would you like your boss to read your personal emails and web history?

The Data Protection Act 1998 covers monitoring at work and the code of practice Monitoring at work: an employer’s guide published by the Information Commissioner’s Office sets out a number of guidelines:

  • Monitoring should be proportional to the legitimate needs of the company
  • Employers should carry out an impact assessment
  • Employees are told they are being monitored
  • Information discovered through monitoring is only used for the purpose for which the monitoring was carried out
  • The information discovered is kept secure
  • Employers are extra careful when monitoring personal communications

The Regulation of Investigatory Powers Act 2000 further restricts your ability to monitor employee communications over company networks unless you have their prior consent. There are limited circumstances, such as the detection of crime or the prevention of unauthorised use, where monitoring without consent is allowed. However, covert monitoring is very rarely justified.

The risk of internet misuse justify monitoring but that doesn’t mean that you should just go ahead and do it without careful planning. You’ll need legal advice and proper procedures as well as the right technology to actually do the monitoring.


Policy matters

Any decision needs to be backed up by a clear acceptable use policy for the internet. ACAS, The Information Commissioner’s Office and Business Link, among others, have helpful guides to the issues involved. MessageLabs’ own white paper, The Legal Risks of Uncontrolled Web Use and Email Content, is a good place to start. Again, legal advice is important.

Each company has its own ethos. Some managers may take a more laissez-faire approach while others want to lock everything down. Some people need full access to the web and companies may wish to give some departments or individuals more latitude than others. A good example is the marketing department of a lingerie firm who need to see their competitors’ websites despite images that might be unacceptable in other companies, or even other departments in the same firm.

In the end, it comes down to a choice. Where do you draw the line? How do you balance individual privacy with the overall good of the business? What is the correct balance between monitoring and blocking? There is no right answer. It varies from company to company. But there is, perhaps, a right way to go about it.



MessageLabs Web Security and Compliance
Because the MessageLabs hosted service operates in a network of data centres, there is no hardware for customers to buy, no hefty up-front capital costs, no ongoing upgrades or maintenance and no software licences; just a predictable per-user fee.

From a customer portal, IT Managers can set up policies - blocking sites individually or by category. They can also set different policies for different types of user. The same ClientNet portal gives IT Managers detailed reports on internet use in their company. In addition to policy management, Skeptic technology gives MessageLabs services a unique - and powerful - way to protect its clients against web-borne malware. When your employees ask for a web page, the request goes through our system first so we can scan the page for malware and check it against your company policies.

The MessageLabs Hosted Web Security service gives companies the ability to monitor and enforce their internet use policies; whether they are very restrictive or very liberal, whether they favour monitoring or blocking. It unifies site monitoring and filtering with anti-virus and anti-spyware protection. As the world wide web becomes more and more important as a business tool, companies need the best possible tools to help protect their computer systems, their reputation and their employees. MessageLabs delivers one of those tools.

For more information or to sign up for a free trial please visit www.messagelabs.co.uk/products.



Send a comment about this article to editor@itwales.com