Beware the cyberslackers

Your employees have never had so many potential distractions at their fingertips.

A decade ago, the biggest worry for an organization might have been an employee making one too many personal phone calls on the job. Nowadays, employees are filing their taxes at work, booking holiday reservations, planning weddings, playing online video games, buying Christmas presents, poking their friends on Facebook, trying to qualify for the World Series of Poker, setting up their own online business, twittering about what they had for lunch … well, you get the idea.

The problem is there’s no way to stop them from wasting time. You can try blocking as many Web sites as possible — and this is certainly something most enterprises do — but new online diversions will always pop up. Also, blocking Internet access for all your employees might not be feasible because different business units have different needs.

The best way to truly tackle the liability, security, network performance and productivity issues you face from online misuse is through an update of your corporate acceptable use policy. Here are some tips to consider when re-evaluating your current policy.

1. Keep them signing on the dotted line

Chances are your company’s acceptable use policy was written in a time before Facebook, YouTube and Twitter became household names. A use policy that covers broad areas of Internet use, telephony and voice mail acceptability is important, but when new factors or technology come into use, a company must act quickly to revise its policy.

But it’s not enough to simply revise the policy to include streaming video use restrictions, for example. You have to have your employees sign off on new additions as quickly as you can.

“Every year when performance evaluation time comes around, the employees should be required to re-read and sign all the policies you have in place,” Jennifer Perrier-Knox, senior research analyst specializing in IT human resources at London, Ont.’s Info-Tech Research Group Ltd. “Often times an employee will sign an acceptable use policy and then three or four years later, the policy changes.”

Organizations should develop a systematic strategy that gets the policy in front of their employees as often as possible, as well as conducting personal training sessions to explain the motivation behind the policy, she added.

Dan Palayew, a partner and head of the labour and employment group at Heenan Blaikie LLP’s Ottawa office, said that some software programs will actually remind employees of the acceptable use policy every time they log in or try and access the Internet.

2. Honesty is the best policy

Palayew agreed with Perrier-Knox, citing distribution as one of the most important aspects of a good policy. But distribution also entails communicating with your employees about their privacy rights while at work.

“I would go as far as informing your employees that they should expect to be monitored,” Palayew said. “Not to instill paranoia in everybody, but the problem is, if you don’t indicate that and build that step in, you will be opening yourself up to the argument of whether or not it was reasonable to conduct the monitoring.”

If you reserve the right to monitor under any circumstances, any technique you initiate will have consent from your employees, he added. Ainslie Benedict, a partner at Ottawa-based Nelligan O’Brien Payne LLP, said she advises her employee clients to assume that their employers are monitoring every electronic action they make.

“It’s best to conduct your life at work as though IT can see every single transmission you make,” she said. Full disclosure can never hurt, Perrier-Knox said, advising that some companies may choose to explain what monitoring techniques are in place and why they have been implemented.

3. Give a little, take a little

But all of this doesn’t mean you shouldn’t allow for some flexibility and draft reasonable use provisions into the policy.

“Make it really clear what’s acceptable. If somebody wants to watch 15 minutes of streaming video or radio over the lunch hour, write that into the policy,” Perrier Knox said. Restricting those activities during certain hours and limiting the amount of time employees are allowed to access those services can communicate to staff what is acceptable.

Palayew advised against being too specific, but stressed that companies must clearly communicate that good judgment and reasonable personal use is acceptable. “The problem with getting very specific is that the when you’re going to want to look at the policy for discipline purposes, it will be for a situation you didn’t anticipate restricting,” he said.

“The policy is not there for the casual users, it’s there for the abusers and those people will usually pop up on the radar screen fairly quickly,” he added.

4. Inconsistency leads to lawsuits

Along with the design, implementation and distribution of the policy, ensuring it is consistently enforced is critical, Palayew said. He added that companies that pick and choose how they enforce their policies will quickly face legal troubles.

“Even for an issue as serious as pornography, some companies have sought to discipline an employee and that same employee has turned around and said that their manager sent them the pictures,” he said. “As a company, you can’t just discipline the employee and not the manager.”

Of course, a policy that assumes everybody is sitting in their cubicles and on your corporate network — like in the perfect Dilbert world — is flawed, Palayew said. The reality today is that employees are all over the world with company laptops and Blackberries.

“If somebody has a laptop on a business trip in Calgary and they’re surfing porn in their hotel room at one in the morning, you need to have an IT policy that covers that as well,” he said.

Your employees must be aware that anytime they are using company property, even away from their company’s offices, the policy still applies to them, he added. This must also be taken into consideration when updating and enforcing your policy.

5. Co-operation makes it happen

When dealing with streaming audio and video sites and instant messaging applications, determining what constitutes acceptable use might be difficult. That’s why IT shouldn’t be dealing with this issue alone, which does occur in some companies, Perrier-Knox said.

“IT leaders need to develop these policies in conjunction with business unit managers, just to make sure that it’s reasonable and makes sense for the business as a whole,” she added.

One of the biggest mistakes for a company can occur when the IT department does not consult with other business units when deciding what technologies are acceptable. A classic case occurs whenever IT decides to institute an enterprise-wise block on a legitimate business applicable tool, such as IM.

“It may have a very legitimate reason for doing that because of the security issues, but there needs to be negotiations and discussions with the rest of the business,” she said. “Among IT staffers themselves, for example, IM is used quite heavily by members of project teams so they can do quick updates and exchange information at a rapid pace.”

“A heavy-handed action, such as an outright, company ban could impede productivity in a negative way,” Perrier-Knox added.

An alternative, she said, is to consider implementing an enterprise controlled IM or social networking solution to allow in-house collaboration without the outside risks.

Ultimately, Perrier-Knox said, there has to be a business case for everything your acceptable use policy aims to do. If you want to take the time, effort, and most importantly, money, to actually monitor every Web page you’re employees are visiting, you need to balance that decision with how it might affect your business.

“In some organizations where there (are) large legal or regulatory compliance needs to consider, you can make the case for that,” she said. “But if you don’t have to do it, don’t do it. It requires a lot of people-hours to track, monitor and police.”