Fact: Viruses are running rampant and can now span operating systems. Analysts believe most viruses are brought in on disks from home.
Fact: Having your company’s name on your employee’s correspondence to the alt.home.bombmaking Internet newsgroup may not enhance your reputation in the community.
Opinion: Every company needs to put a plan and a policy in place to deal with the problems these facts can lead to: misuse, mismanagement, system failure and legal liability.
Internet use in business has grown almost as quickly as Orlando, Fla., has. The number of companies with their own domain name and presence on the Internet has tripled since January 1996. As companies come on board, they find it valuable to offer Internet access to their employees–a powerful tool, in the right hands. However, any tool, improperly used, can damage the user or his surroundings, with dire results. Training and guidance in a tool’s proper use is vital.
Benefits of an appropriate-use policy for your employees
One of the most obvious ways to offer guidance is through an official corporate Internet-use policy. A policy has at least three major purposes: promoting the efficient use of a business asset and powerful tool; protecting the firm from problems directly associated with the Internet; and protecting the firm from problems indirectly caused by the Internet. The following information does not constitute legal truth, but rather common sense: On business property, on business time, on business equipment and connections, the Internet is not a toy, but a tool, and its use, an extension of firm business.
To many, the Internet is fun. You can find out almost anything you want to know about anything. However, the goal of Internet use in most business environments should not be to explore the far reaches of the Net–but to maximize employee efficiency. That means that certain ground rules must be set to maximize the potential. Protecting your firm from the direct effects of the Internet requires diligence. The Internet is a teacher of two great and wonderful things: patience and disappointment. With that comes the potential for data loss or damage, loss of efficiency and viruses.
The unforeseen problems that must be dealt with are the possible repercussions from your employees being seen as acting on your behalf, and the potential legal liability that brings. A corporate Internet policy that is enforced and modeled proves that actions taken by those not following the clearly stated and well-promulgated policy were not made on behalf of the company.
Elements of an employee policy
What follows are some of the basic elements you should consider in developing your policy. While this list is incomplete, make sure to consider all of these elements.
–Consistent with agreements
Few organizations plug into the Internet without the services of an intermediary. Your organization’s agreement with that intermediary may include limitations and restrictions on your use. (A ban on conducting commercial business may be one of those limitations.) Your policy should contain provisions to make sure use is consistent with permitted use per your agreement with your access provider. Make sure that you know and publish the limits so your staff can abide by the appropriate limitations.
–Consistent with law and Internet culture
While it may seem ridiculous to have to formally state that your employees should not break the law, the Internet is a place of anarchy and freedom. Anything you may want is available there, including copyrighted and illegal materials. On the Internet, your employees are members of multiple societies, both legal and electronic, with laws and customs.
Your policy should guide your employees away from breaking the law; your firm should make some effort to keep your staff informed as to changing rules about copyright, freedom of speech and other evolving issues on the Internet. The global nature of the Internet makes more than just U.S. trade and copyright laws important; the customs, laws and rules of other nations can come into play.
In addition, the established culture of the Internet has produced its own set of rules, punishable by flaming and retribution. The current court rulings about America Online’s efforts to stop junk e-mail point out the struggles of clashing culture and commercialism. Your policy should discuss rules of Internet etiquette (netiquette), anonymity, illegal misrepresentation and flames.
–Consistent with the Golden Rule
We are members of humanity. On the Internet as in real life, be a good citizen and a good visitor. Leave things cleaner and better when you leave than when you arrived. The Golden Rule comes into play on the Internet: Treat others in the manner you would like to be treated.
Your policy should inform your employees that you expect that others’ privacy will be respected. Many of the resources are there by the good graces and efforts of volunteers; other people’s systems should be respected, and not violated.
In addition, all efforts should be made to avoid harassment, and harsh and thoughtless statements. For many reasons, there is not room for pornography in most business environments.
–Consistent with the firm’s priorities
It is the responsibility of the employee to remember that he or she is a member of an organization to which he or she should be loyal and which he or she represents to outsiders.
The firm is paying for the employees’ time; a policy should limit their Internet use to business during business hours. Firm secrets and dirty laundry should not be aired, ever. As agents and representatives of the firm, their actions should reflect well on the organization.
In addition, access is a corporate tool. Each person’s log-in and password should be used by that person only, and use (especially the transfer of large files) should be limited where necessary for more effective use of the system by the organization as a whole.
–Consistent with the weaknesses of the Internet
Policies should be in place to help protect the user and the organization from the active subset of users who will take advantage of the weaknesses of the Internet. Many gray areas should be discussed.
Who owns e-mail? Is it corporate communications, open to management review? Or is it private? There is no great answer; let your people know your stand.
When you send e-mail, is the information sensitive enough that you do not want anyone to have the option of reading or modifying it? Your policy should include corporate guidance in the use (or restrictions on the use) of encryption software, like PGP.
If passwords are disseminated, what is your policy for the type of passwords you want your people to use, as well as the frequency of change?
With the onslaught of viruses, what rules do you want in place? All disks should be virus-scanned before use? No disks from home are permitted at all?
As new software is loaded, especially communications software, policy should make sure that efforts are made to learn of the known security weaknesses of the software; efforts should be made to erase sample and default configuration files, which often are a method of entry into systems.
This list is incomplete. How can you find out more? There are many organizations that have posted their Internet policies on the Internet; many are schools and libraries, but some business organizations have posted as well.
A little reading on similar topics:
–“PC Week Intranet and Internet Firewall Strategies,” Edward Amoroso and Ronald Sharp, ZD Press (http:// www.mcp.com/zdpress/). Firewalls are used to protect networks from attack from the outside, and limit certain traffic from the inside out. The book has examples of Internet policy and a thorough discussion of the technology to protect and to serve. ZD uniformly presents books with excellent illustrations and consistent writing.
–“Internet Agents: Spiders, Wanderers, Brokers and Bots,” Fah-Chun Cheong, New Riders (http://www.mcp. com/newriders/); and “Bots and Other Internet Beasties,” Joseph Williams, sams.net (http://www.mcp.com/samsnet/books/bots.html). Both cover the automated tools of the Internet, used for both good and evil. Cheong covers some more technical issues well, while Williams delves into many more areas of great interest in much greater depth.
–If you have read this far and you say that you just want to find a book to tell you how to get on the World Wide Web and find your way around, try “The World Wide Web for Busy People,” Stephen Nelson, Osborne McGraw-Hill (http://www.osborne.com/). The “For Busy People” series has some of the most extensive color illustrations you will find, which really increases the appeal.
You cannot blame people for holding a hammer upside down or misreading the gauges on a piece of equipment if they have never been properly trained in its use. The Internet is no different than any other tool; rules can guide and protect.
(Eric Cohen, a CPA, owns Cohen Computer Consulting, which helps growing businesses cope with and benefit from information technology. His home page is located at http://www.servtech.com/re/ acct.html.)