Guidelines needed for internet usage

23 Mar 2005

If Irish firms had been putting off the thorny issue of defining what is appropriate internet usage within their organisations, the sudden departure of Bank of Ireland chief executive Mike Soden last year firmly put the topic on the agenda. Soden resigned after it was revealed he had been looking at sites of an adult nature during company time — not illegal behaviour but conduct that was very embarrassing for the bank.

Inappropriate use of the web and email is not just an issue for large corporations. If staff members are spending large periods of time using the internet for personal use, productivity takes a nosedive. Worse still if that time is spent perusing illegal or inappropriate content, then the company could face a lawsuit. Tony Donohoe, head of research and information at IBEC, believes the legal threat that employers should be most concerned about is the possibility of a harassment charge.

“Under the legal concept of vicarious liability, employers can be seen to be responsible for the actions of their employees,” explains Donohoe. “Under employment equality legislation harassment covers the circulation of written words, pictures or other materials that a person considers offensive.”

As a result an employer could easily face a harassment charge if he or she does not take steps to discourage employees downloading and circulating inappropriate material such as pornography. According to Donohoe, other areas of the law where employers could be exposed include defamation, copyright infringement and privacy rights.

While email and web use are clearly of most concern they are not the only things firms need to consider. “The problem is shifting — two or three years ago you just had to be concerned about staff accessing porn or other inappropriate websites,” says John Ryan, operations director with security specialist Entropy. “Now there are other areas to consider such as spyware on PCs and the whole area of phishing attacks, so the problem is broader.”

In order to ensure there is no misunderstanding over what is acceptable a company needs to put in place a written internet usage policy, which clearly states what is and isn’t allowed. Bodies such as IBEC and the Small Firms Association provide sample policies to their members but caution that each firm needs to come up with policies that reflect their own culture. For example, some organisations may be of the view that email and internet access should strictly only be used for work purposes. Others may feel that a small amount of personal internet usage, such as online banking or booking a holiday, is acceptable and even a perk of the job. Either way this needs to be clearly reflected in the policies, as does the times that certain activities are acceptable, (eg firms may decided before 9am or between 1-2pm staff can use the web for his or her own purpose) and what the consequences are for a breach of the policy.

Human resources (HR) consultant Fredericka Sheppard advises that policies need to be formulated on the basis of both HR and technology considerations. “At the outset you need to consider how you are going to formulate the policy, how you will roll it out to the organisation and what you will do if there is a breach of the policy,” she says.

In her experience most Irish organisations would have a policy but it may not be communicated properly or enforced. That view is backed up by research carried out by software company PixAlert, which provides software that can detect if pornography has been downloaded to a company network. It carried out research last year that found while more than 90pc of Irish businesses have an acceptable computer use policy in place, 25pc of them are out of date and 20pc have no technology in place to enforce them.

Clearly technology needs to be put in place to ensure compliance with the policy is being monitored and the necessary evidence is collected should disciplinary procedures need to be followed. Typically that involves the use of filtering products on the internet gateway, which block access to inappropriate sites based on a list of URLs or keywords found on the pages.

However, John Nolan, CEO of PixAlert, believes such solutions are not comprehensive enough. “Gateway filters can’t pick up secure traffic and there are proxy sites that will encrypt the traffic and let you ping from there to anywhere,” explains Nolan. “It’s pretty trivial to do it — you don’t have to be very technical to do it just well read.”

PixAlert’s software, which complements filtering, analyses pictures for flesh tones. Rather than being an invasion of staff privacy Nolan describes it as “exclusion monitoring”, ie an alert is only sent to an administrator if some form of pornography has been discovered.

Whatever technology is put in place, Sheppard says that the acceptable usage policy needs to state that monitoring takes place. “You need to be upfront with your employees — that’s the only way you will foster a culture of trust and openness,” she says.

By John Collins