Someone to watch over me

29 Apr 2004

If you thought all there was to security was keeping your antivirus software up to date and possibly even having a firewall, think again. Increasingly, implementing a security policy is becoming an important part of business.

Take this sample case: if you caught a top employee in your company downloading pornography and you sanctioned or even sacked him or her, that could be deemed unfair dismissal. Although common sense dictates that staff really shouldn’t be spending their work time surfing for smut, consider this: if you didn’t have a clearly stated policy saying that they are not allowed to do so, then legally, you haven’t got a leg to stand on. If the employee chooses to fight his or her punishment or expulsion by legal means, the court could find in his or her favour.

That’s according to security and legal experts who maintain that ownership of the network does not confer senior management with the right to monitor employees’ internet and email usage without their knowledge. Staff must also be made aware what they may and may not do when online.

To remove any ambiguity, a clearly written policy should be circulated to employees informing them that, for instance, they can use the internet only for company business. A good usage policy should set out what is and is not permitted, and should detail the consequences of any breach, says Paul Lambert, IT lawyer with Merrion Legal. “You have to drill down in a lot of detail what the justifications for the policy are, such as stopping cookies or viruses from getting through,” he recommends. “That would encourage acceptance of the policy among the workforce.”

The constantly changing nature of the internet means that policy documents shouldn’t be set in stone, Lambert adds. “A lot of organisations, from small to large, fall down by not reviewing the policy as much as they should.” Last year’s policy may have strict guidelines about correct email usage, but if half the staff have begun to use instant messaging in the meantime, where do you stand?

Acceptable use policies are not yet widely adopted but this will have to change, according to Vigitrust managing director Mathieu Gorge. “Email best practice is something most companies don’t do,” he observes. “A lot of employers are not aware of how they can monitor and who they can monitor. The rules should be applied to all employees equally. Any secret monitoring must be documented. If you don’t document it and you arrive in court, you don’t have a case.”

Gorge adds that all the security software in the world can only be used to apply a policy, but it will not, of itself, take care of a company’s security issues. “The Mailsweeper content filter for example is a technical solution that will support a strategy, but if your policy is not legal, then your technical solution is no good,” he points out. For the same reason, security providers should not simply sell a box and tell the customer that their problems are over. “The question is, can your solution cover your legal needs and not just block viruses and spam?” asks Gorge. “The technical solution does what it’s supposed to do, but if the policy is not in the context of business requirements then the technical solution won’t actually protect the company.”

A couple of significant obstacles stand in the way of simply implementing usage policies however. Earlier this year, Dublin City Council came in for criticism from unions following news that it issued a tender for a monitoring system that would track employee web, email and telephone use.

Even assuming the proposal gets the support of staff, strict new data protection legislation is making it more difficult for businesses to collect and keep data on their employees’ communication habits, Lambert warns. “Traditionally, many organisations would have a communications usage policy that would set out the procedures and all employees would sign it. That was deemed historically to be sufficient and legal but that interpretation of the law has been called into question.”

All of which has made this area considerably more difficult to advise on, says Lambert. A good start, however, is to have a single, designated co-ordinator for these issues within a company – effectively a data protection officer. This person should keep up to date with the latest developments in the sector, liaise with other organisations and work with his own company’s human resources and IT departments to see how and where the firm may be exposed to the new rules. “It’s becoming less of a case that someone can jump in and jump out to address data protection issues. More and more I think it needs to be a full-time role,” Lambert concludes.

By Gordon Smith