1 GFI White Paper The importance of an Acceptable Use Policy In an ideal world, employees would use the computers and Internet access provided their employer solely for business use. It is however, sadly, not an ideal world. Throughout the work day, companies, schools, libraries and other organizations are exposed by their users to the misuse of the system. The dilemma faced by every company is what to do about it and how to start. In this white paper we examine both the extent of the problem of misuse, and the role the creation and dissemination of an Acceptable Use Policy (AUP) can offer in helping an enterprise avoid unwanted consequences and enabling it to deal with transgressions in a fair and systematic way that will survive legal challenges without reducing employee morale and productivity.
2 Contents The extent of misuse 3 Solutions 3 Acceptable Use Policy 3 What should be in an Acceptable Use Policy? 4 Ideally an AUP should do the following 4 Summary 5 About GFI 5 2
3 The extent of misuse According to a survey by International Data Corp (IDC), 30 to 40% of Internet access is spent on non-work related browsing, and 60% of all online purchases are made during working hours. The data IDC uncovered includes: 70% of all web traffic to Internet pornography sites occurs during the work hours of 9am-5pm. 58% of industrial espionage is perpetrated by current or former employees.»» 80% of computer crime is committed by insiders. They manage to steal $100 million by some estimates; $1 billion by others. 48% of large companies blame their worst security breaches on employees. 64% of employees say they use the Internet for personal interest during working hours. 70% of all Internet porn traffic occurs during the nine-to-five work day. 37% of workers say they surf the web constantly at work. 90% of employees feel the Internet can be addictive, and 41 percent admit to personal surfing at work for more than three hours per week. 25% of corporate Internet traffic is considered to be unrelated to work % of lost productivity is accounted for by cyber-slacking. 32.6% of workers surf the net with no specific objective; men are twice as likely as women. 27% of Fortune 500 organizations have defended themselves against claims of sexual harassment stemming from inappropriate . 90% of respondents (primarily large corporations and government agencies) detected computer security breaches within the previous 12 months, 80% acknowledged financial losses due to computer breaches, 44% were willing and/or able to quantify their losses, at more than $455 million. Solutions One solution to the problem, beyond simply disabling the connections or depending on sometimes unreliable URL blockers, is to use Internet monitoring systems (see GFI whitepaper: Internet monitoring ). According to IDC, 77.7% of major US companies keep tabs on employees by checking their , Internet, phone calls, computer files, or by videotaping them at work. 63% of companies monitor workers Internet connections and 47% store and review employee . Acceptable Use Policy While monitoring has been an effective tool in identifying abusers and cyber-slackers, Human Resources experts, as well as the courts agree that it needs to be accompanied by evidence of a duty of care intended to reduce unacceptable employee activity. A key aspect of this is what is commonly referred to as an Acceptable Use Policy. Nearly every enterprise has a specified set of rules, usually spelled out in an employee handbook, that an employee has to acknowledge by signature that he or she has read and understood. Some of these policies, such as that against racial or religious discrimination and mandatory archiving are required by law or regulation. Others may reflect common business ethics or a particular company s culture such as prohibitions against drinking, unexcused absences, sexual harassment and the like. Policies also include a set of sanctions that can be used against persons who violate the company s policies. They also provide a legally defensible basis for disciplinary action, up to and including termination. 3
4 One key advantage to policies like this is that while, traditionally, employers have been held responsible and liable for their actions in the workplace, the presence of policies prohibiting such actions has served as a liability shield that can completely or partially protect that company from lawsuits arising actions from employees acting in contravention of the policies. To safeguard its electronic communications, every company, large or small, should have an Acceptable Use Policy in place that governs Internet, and computer use in the business. In essence, an Acceptable Use Policy serves as guidance for staff and volunteers on the behavior and use of technology that is approved by the organization. The policy should also detail the consequences that company personnel can expect to face for the abuse of this technology. What should be in an Acceptable Use Policy? As discussed earlier, monitoring voice mail, and Internet use is generally legal, provided the employer has created and effectively communicated an Acceptable Use Policy. While the exact wording of the AUP will vary from company to company, there are some general guidelines on how an organization communicates such policies to its workers. The key goal of an AUP is to eliminate any employee expectations that these means of communication or use of computers, and the Internet at work are confidential. The policy must be non-discriminatory and it should prohibit all forms of non-business related communications. To this end, the policy informs employees that the employer may access, search and monitor voice mail, or company files of any employee that are created, stored or deleted from company computer systems. The policy must be uniformly enforced through employee education, ongoing monitoring and appropriate discipline. Obtaining prior consent will generally protect employers from liability. Ideally an AUP should do the following:»» Define what systems are covered by the policy, e.g., voice mail, , Internet, and computer systems and files. Specify that an employer s computer systems are for business purposes only, and all files and messages are company property. If the company chooses to allow some personal use, the policy should caveat this by forbidding personal use that interferes with an employee s work or that of others (e.g., prohibiting non-work related websites such as chat rooms, games, travel, shopping, stock trading, hate/discrimination, pornography, etc.). Specifically ban transmitting or downloading of material that is discriminatory, defamatory, harassing, insulting, offensive, pornographic or obscene. Prohibit copying and sending any confidential or proprietary information, or software that is protected by copyright and other laws protecting intellectual property. Prohibit unauthorized access by employees of other employees electronic communications. Warn employees that any misuse will be subject to discipline, up to and including termination. Advise and emphasize employees that they have no right to expect that their communications or use of employer s computer information systems is either confidential or private. After the AUP is drafted, organizations should require the employees to sign the AUP. Some companies have also taken the further step of installing an on-screen warning about their electronic communications policy that appears every time employees log onto their computers. 4
5 Summary Misuse of the Internet, and computers in the workplace represents a serious and growing challenge to every organization, regardless of size. In addition to potential illegal activity, disclosure of company secrets and introduction of malware, misuse of these systems has a real dollar cost in terms of lost productivity. To date, the most successful means of combating this has been through monitoring, by a variety of means. The first step in any organization s defensive measures against abuse is a prior consent statement, commonly referred to as an Acceptable Use Policy that specifies that employees have no right to an expectation of privacy with respect to their use of business computers, systems and Internet connections. The AUP also details unacceptable activities, specifies sanctions, advises of the potential for monitoring and places responsibility for inappropriate behavior on the employee who transgresses those rules. The AUP should be widely disseminated and employees required signing and acknowledging their understanding of it. In addition to providing employees throughout the organization with clear definition of the organization s expectations, a properly executed AUP can serve as a liability shield for the organization in the event of misbehavior by an employee, as well as a legally sanctioned basis for disciplinary actions, including termination. About GFI GFI Software provides web and mail security, archiving, backup and fax, networking and security software and hosted IT solutions for small to medium-sized enterprises (SMEs) via an extensive global partner community. GFI products are available either as on-premise solutions, in the cloud or as a hybrid of both delivery models. With award-winning technology, a competitive pricing strategy, and a strong focus on the unique requirements of SMEs, GFI satisfies the IT needs of organizations on a global scale. The company has offices in the United States (North Carolina, California and Florida), UK (London and Dundee), Austria, Australia, Malta, Hong Kong, Philippines and Romania, which together support hundreds of thousands of installations worldwide. GFI is a channel-focused company with thousands of partners throughout the world and is also a Microsoft Gold Certified Partner. More information about GFI can be found at 5
6 USA, CANADA AND CENTRAL AND SOUTH AMERICA Weston Parkway, Suite 104, Cary, NC 27513, USA Telephone: +1 (888) Fax: +1 (919) UK AND REPUBLIC OF IRELAND Magna House, London Road, Staines, Middlesex, TW18 4BP, UK Telephone: +44 (0) Fax: +44 (0) EUROPE, MIDDLE EAST AND AFRICA GFI House, San Andrea Street, San Gwann, SGN 1612, Malta Telephone: Fax: AUSTRALIA AND NEW ZEALAND 83 King William Road, Unley 5061, South Australia Telephone: Fax: Disclaimer GFI Software. All rights reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document is provided for informational purposes only and is provided as is with no warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. GFI Software is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, GFI makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, outof-date information, or errors. GFI makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document. If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as practical.
GFI White Paper Social networking at work: Thanks, but no thanks? Millions of people around the world with access to the Internet are members of one or more social networks. They have a permanent online
GFI White Paper How to keep spam off your network What features to look for in anti-spam technology A buyer s guide to anti-spam software, this white paper highlights the key features to look for in anti-spam
GFI White Paper The business implications of not having a backup strategy: where businesses get it wrong A business that fails to maintain a copy of its data is asking for trouble. It is extremely easy
GFI White Paper Why organizations need to archive email The underlying reasons why corporate email archiving is important Over the past few years, email has become an integral part of the business workflow.
GFI White Paper How to perform network-wide security event log monitoring Using GFI EventsManager for intrusion detection and essential auditing of security event logs This white paper explains the need
GFI White Paper Sending faxes in real time over an IP network How to benefit from Fax over Internet Protocol (FoIP) to send faxes This technical white paper gives an introduction to Fax over Internet Protocol
Internet Security Strategy for SMEs Small and medium-sized enterprises (SMEs) need a comprehensive Internet security strategy to be able to protect themselves from myriad web-based threats. Defining and
Bringing Your Acceptable Use Policy Up to 2013 Standards Bringing Your Acceptable Use Policy Up to 2013 Standards Organizations of all sizes rely on their employees to be good stewards of company time,
GFI Product Guide GFI MailArchiver Archive Assistant The information and content in this document is provided for informational purposes only and is provided "as is" with no warranty of any kind, either
Information Technology Policies and Procedures Wakulla County School District March 2014 Table of contents TABLE OF CONTENTS... 1 1.0 OVERVIEW... 2 2.0 PURPOSE... 2 3.0 SCOPE... 2 4.0 ACCEPTABLE USE POLICY...
December 2009 www.riotinto.com The way we work Our global code of business conduct 01_02 Rio Tinto Rio Tinto is a world leader in finding, mining and processing the Earth s mineral resources. The Group
Redland Christian Migrant Association (RCMA) Internet Security and Safety Policy I. Overview RCMA supports instruction through the use of educational and administrative computers. The responsible use of
E-rehab, LLC Terms and Conditions Recitals E-rehab is a duly licensed Limited Liability Company offering website services to licensed physical therapists and professional physical therapy corporations.
Internet & Cell Phone Usage Policy The Internet usage Policy applies to all Internet & Cell phone users (individuals working for the company, including permanent full-time and part-time employees, contract
Jefferson County School District Information Technology Policies and Procedures 575 S. Water Street Monticello, FL 32344 (850) 342-0100 www.jeffersonschooldistrict.org June 2014 Table of Contents 1.0 Overview...
HIPAA Security Risk Analysis Toolkit In January of 2013, the Department of Health and Human Services Office for Civil Rights (OCR) released a final rule implementing a wide range of HIPAA privacy and security
Terms of Service for Business Internet Service BUSINESS HIGH-SPEED INTERNET TERMS OF SERVICE LEGAL & REGULATORY FAIRPOINT COMMUNICATIONS THESE TERMS AND CONDITIONS CONTAIN IMPORTANT INFORMATION REGARDING
CODE OF CONDUCT Living Our Values Around The World Colgate s Code of Conduct sets forth our principles for working with each other, outside businesses, consumers, governments, local communities, and shareholders.
New York State Office of the State Comptroller Division of Local Government and School Accountability LOCAL GOVERNMENT MANAGEMENT GUIDE Information Technology Governance Thomas P. DiNapoli State Comptroller
13 Personal and Small Business Online Banking Agreement Table of Contents Table of Contents... 2 Online Banking... 3 Bill Payment... 10 Mobile Banking... 13 Mobile Remote Deposit Capture... 21 Page 2 Date
Can Company E-Mail Avoid Becoming Evidence Mail? Frank Cavaliere Lamar University College of Business;, Beaumont, Texas Phone: 409-880 8619 e-mail: Frank.Cavaliere@lamar.edu Purnendu Mandal Lamar University
Location: The Juilliard School Irene Diamond Building Main Office Room: 248 Phone: 212-799-5000 ext. 7121 Email: firstname.lastname@example.org Website: Information Technology Computer Labs There are two computer
INFORMATION TECHNOLOGY User Standards and Guidelines Manual May 2010 Division of Information Technology http://www.palmbeachschools.org/it/security.asp Table of Contents 1. Introduction... 4 2. Definitions...
KUHN COMMUNICATIONS, INC. ACCEPTABLE USE POLICY RESIDENTIAL SERVICE This Agreement is your contract for Kuhn Comm, Inc. Internet Service. Kuhn Communications, Inc. s (KCI) goal is to provide our customers