Are your staff surfing safely?

Martino Corbelli, marketing manager at filtering software firm Surfcontrol, which produced the booklet, said it does not offer a cut-out-and-distribute set of rules, but does give practical guidance. ‘A lot of network managers have no experience of this kind of thing. Our booklet outlines the issues they need to think about,’ he said.

While the Home Office has promised to publish a code of practice covering RIP, its publication has been delayed. This has prompted some to suggest that the Government is as confused as the rest of us.

George Gardiner, senior partner at solicitors Buchanan Ingersol, said that conflict between different legislation has caused problems. ‘I think it’s entirely likely the delay is caused by difficulties in bringing together all the different legal strands. However, I would rather wait for a considered set of guidelines that work than accept a knee-jerk reaction.’

Setting security levels

In the interim, network managers have a responsibility to safeguard networks from viruses and to keep management informed about risks arising from staff using the internet. AUPs give staff a wider understanding of the company’s level of security, and why it is important.

Security consultants have for years been telling companies to do this. Security policies differ from security measures, such as firewalls, in that they take a holistic approach to each organisation. Different businesses access the internet for various different reasons.

For example, an often-stated guide to clamping down on users who download pornographic images is to check net and FTP logs for evidence of large-scale downloads of image files.

While this is effective for organisations that deal largely with text-based documents, graphics-intensive businesses, such as printers, will learn less from such monitoring.

Richard Gray, partnership secretary at law firm Park Nelson, was one of the first to assess the guidelines. He said the guide had helped the firm frame Regulation of Investigatory Powers (RIP) Act rules in language that was easily understood by all staff.

‘It’s about giving practical advice. Not all our employees are lawyers,’ he said, adding that clarity was the key. ‘What you want is two sides of paper that says ‘This is what you can use the internet for, and this is what you can’t’.

Park Nelson’s prior approach to net access erred on the side of caution, but Gray said the potential benefits to the practice and its staff made the risks worthwhile, provided they were tempered with an AUP. He canvassed opinions from staff and partners to avoid an atmosphere of distrust.

‘We already have very restricted access in this firm, and I want to extend that to people’s desktops,’ he explained. ‘I want to make net access more widely available in the firm, because it’s a valuable business tool in terms of research. So we asked who wanted to have access and what they wanted it for.

‘There’s a people management angle here too. We wanted to tell our staff what is expected of them. As a law firm, we are concerned about the loss of billable hours, so we need to make sure that people aren’t just surfing the net for fun. We also use monitoring software, so in our policy staff are told that we can check the sites they have visited. As long as people know that, they’ll abide by the rules.’

The situation is not so different from when telecoms managers were forced to monitor excessive personal usage of company phones, although the consequences of a breach of RIP regulations are far more serious. The balance between making staff feel trusted and protecting company interests is a fine one.

The web as a perk

‘Employees generally have undoubtedly come to look at net access as a perk,’ said Gray. ‘But with a usage policy, they’ll know to what extent. In our AUP we will say: ‘We are expecting staff to use the net for personal reasons and we don’t have a problem with that, providing it’s not in office hours and you’re not visiting inappropriate sites’. In principle, it’s similar to the way we expect staff to use our telephones.’

While an AUP will strengthen your defences against misuse, formal guidance on RIP is still required, and Gardiner called on the Home Office to delay publication of the code no longer than is strictly necessary.

But he added that while the code of practice will expand on the Act, it will not solve inherent problems in the legislation. These will be ironed out in the courts, as companies unwittingly breach the regulations through a lack of preparation. He said that inexperience in interpreting legal documents is more likely to be the culprit than negligence.

“We have enough trouble reading the wretched legislation, so how anybody else can cope with it I don’t know. Given that these laws are meant to be for the people, that’s a problem,” said Gardiner.In the meantime, network managers will just have to get on with it. This is not simply a regulatory or technology issue, it has ramifications for every department, so implementation has to be inclusive.There’s a risk of building resentment if the AUP is ‘sent down from on high’. People enjoy accessing the net, so it is important to explain clearly why any restrictions are being placed. Responsible employees will understand, according to the guide.It’s also worth asking your company’s lawyers to run an eye over the draft document – if directors are not keen on spending money on solicitors’ fees, point out that, without the protection of an AUP, the organisation could be held legally liable for comments made by staff in emails, websites and online forums. The ghoulish and expensive spectre of lawsuits and criminal charges should put such fees in perspective.

AUP essentials

Set rules – Some types of usage are unacceptable. Set rules against visits to pornography sites and against making offensive contributions to message boards. Make it clear that the company is responsible for transmissions made over its net and that the internet is like any other resource.

Be relevant to your business – What specific risks do you run in letting users access the internet from your network? Assess the risks with directors, other department heads and staff.

Spread the word – An AUP is useless if people don’t know about it. If you face litigation over staff misuse, your case will be strengthened if you can prove that all employees were notified that they were subject to monitoring. Training is the key. This also helps prevent accidental virus intrusions.

Surfcontrol’s guide to writing an AUP can be downloaded free of charge in PDF format here

• This article first appeared on vnunet.com.