If your business has more people than just you, then you need an appropriate use policy document that covers your technology assets. This is a document designed to set out expectations and rules/guidelines for what is acceptable of your employees in as far as technology use in the workplace. It should address both private and corporate assets, and will set out the groundwork that could save your company much grief, tarnished corporate image and goodwill, lost time, lost revenue and expensive repairs.
A few years ago, a forensic IT investigation for a client involved analysis of a computer used by an employee suspected of issuing cheques payable to herself for commissions payable to other people in the company, then falsely booking them as having paid to the corresponding individual. What was found was something that I was completely unprepared for. This person had an unknown alter ego wherein she was an S&M mistress that also sold a variety of intriguing items to her minions. Here is the problem: she was doing this and communicating with them using highly explicit sexual language through her corporate email address, during business hours, using company equipment, and without knowledge or consent of management. The case was then referred to the police for further investigation and prosecution.
In another example, we were asked to put in place email filters that would systematically scan every outgoing email for certain profanity keywords. Any such emails would be blindly copied to one of the company principals for manual review. Some of the employees were reprimanded and the problem stopped. Another employee was subsequently terminated.
As we begin 2012, technology has and continues to proliferate our business and personal lives. While some of the technology works to benefit the business bottom line, other technologies impede it. Not only the tools, but their use must be addressed. Some of these items will be company owned, and some not. Yes, both must be addressed. While it is difficult to cover all aspects and situations, here are some guidelines.
- Address the use of personal cell phones during business hours. Are personal calls allowed in your workplace? Should they be restricted to certain times of the day only (ie: during breaks)? Do you want to restrict the number of phone calls, or the duration?
- The majority of cell phones now have built-in cameras. If your business is concerned with proprietary products, or methods, you may need to restrict these devices from even entering the workplace in order to control trade secrets.
- With regards to personal phones, do you permit your employees to be texting personal messages during work hours? Many of the newer smart phones now have apps for facebook, Gmail, Hotmail, or internet browsers. Do you permit employees checking their personal email or check the latest update about their friend’s date from the night before during work hours?
- Personal computers. Do you allow your employees to set up their personal computers or tablets in the office for personal use? Do you allow downloading of media or other potentially law infringing material (ie: music, movies, software) using corporate networks? Allowing such use could place you company in a liable position.
- Do you allow employees to connect any external media (ie: USB memory sticks, digital disks, floppy disks, portable disk drives) to computer assets? In many cases, people do connect such items and end up infecting company equipment with malware already stored on these media.
- Do you allow employees to use the corporate phones for making personal calls? If you do, should there be a specified limit noted?
- Do you have a policy on the use of long distance or pay per call services? There have been documented instances of employees using corporate equipment to access pay per call sex chat lines, which are then billed back to the corporate account.
- Do you allow corporate email addresses to be used for any personal communication?
- Do you have specific standards of email communication in order to maintain your corporate image, such as the use of profanity, standardized email signatures, maximum time by which email messages must be responded?
- Do you allow access to personal email using company equipment or during business hours? Keep in mind that email is one of the greatest sources of malware.
- Do you have a policy to restrict the access of certain type of websites using corporate equipment? For example, is the access of pornographic websites allowable?
- Do you allow the use of instant messaging software (such as ICQ, Skype, MSN Messenger) for personal communication?
- Do you allow employees to open internet radio station windows that provide live streaming? In an environment that does not restrict this, users can choke all available internet bandwidth.
- Do you allow the installation of non-approved or unlicensed software on corporate equipment?
- Do you allow the storing of copyrighted materials or media on corporate equipment?
- If employees use certain tools for ongoing business purposes, such as (LinkedIn, Facebook, Twitter), who owns those accounts and contact information?
- It is standard practice and generally upheld by the Courts that all media generated using company equipment is owned by the company, and as such employees have no right to expect privacy on any content. This should be spelled out within the Policy document.
- Do you have any restriction on the use of photocopy equipment for making personal photocopies? How about photocopying copyrighted material? Did you know that photocopying money notes can be a criminal offense?
Use the points above to draft a document suitable for your company, and get two copies printed. Once you have drafted your document, you may wish to have it checked by your legal council. One copy of the Policy document should go to each employee/agent, and another signed and dated by each recipient and filed. This way, both parties have a set of known ground rules. If the need arises down the road, revised copies can be re-endorsed.