Your Approach to Acceptable Use Policies May Be Unacceptable

After surveying 500 IT administrators at businesses of your size across the country, we have concluded that acceptable use policies (AUPs) in the workplace are not up to date, if they exist at all. More senior companies consider AUPs and other tools defining best practices for computer usage to be essential policy tools. But it's not much of a surprise to find them lacking when you consider the level of IT support available in your company and companies like it.

For that matter, some of you may not even know what an AUP is. AUPs are written documents that set out a specific set of rules and regulations concerning the use of e-mail, the Internet, instant messaging, and company computers in general. The first part is to create the AUP, and the second is to enforce its rules through technology solutions.

All businesses of any size should have issued such policy directives to all employees. And most company guidelines will require users to agree to follow the AUPs in order to be provided with access to a network or to the Internet. Obviously it takes some dedicated resources to put these together and keep them updated, and that's often what companies of your size don't have.

Our research in the small-business community reveals that either AUPs don't get written at all, or if they do get written, they don't get updated on a regular basis. Updating is essential if the document is going to do its job, which is to protect both the organization and the employees from problems.

Legal problems can arise because of a failure to comply with legal procedures or corporate ethics in a company's community, and downloading viruses or other dangerous programs can harm your network and your business. In short, a company without an updated and enforced AUP is leaving itself vulnerable to security and compliance risks.

We live in a litigious society today. For example, companies are legally accountable for fraud perpetrated by employees using the company's Internet connection. And HR and IT professionals are all too familiar with the woeful tales of organizations being sued for sexual harassment, all because an employee's questionable surfing habits made other employees feel uncomfortable in the workplace. Inappropriate use of e-mail and IM can yield the same problem.

Every day, Internet-based threats seek to exploit networks and expose businesses like your to the risks of security breaches, legal liability, lost productivity and the erosion of network resources. The survey found that four key IT threat areas were missing in written AUPs and in monitoring and enforcement technologies:

• Spyware

  Spyware is generally brought into an enterprise and onto users' desktops through careless downloading and inappropriate Web surfing. This can cause considerable problems for desktops and network performance alike. Yet 70 percent of organizations responded that they have not addressed this risk factor in their AUPs. Making matters worse, 68 percent have no perimeter solution to prevent the problems associated with spyware. AUP rules need to educate employees clearly about this potential threat.

• Inappropriate Web Surfing

  Many companies today accept that people need to carry out personal chores, such as paying bills online, while at work. But strict rules are needed to prevent employees from abusing the presence of a broadband Internet connection at their desktops by visiting pornographic or other offensive sites. In addition to the productivity loss of the Web-surfing employee, any legal action caused by excessive or inappropriate Web surfing at work has the potential to cost companies dearly. And yet 64 percent of the surveyed companies have not addressed this in their AUPs, and 80 percent have no perimeter solution.

• Instant Messaging (IM) Instant messaging is a very useful business communications tool that some think is in many ways better than e-mail. However, much use of IM on company networks is neither managed nor sanctioned, which presents a whole host of potential problems in both security and compliance. IM worms and viruses abound these days, and inappropriate instant messages can have the same bad legal results as inappropriate e-mail messages. But 72 percent of the surveyed companies have not addressed this in their AUPs, and 79 percent have no perimeter solution that prevents it.
• Point-to-Point File Sharing (P2P)

  Many feel that there is no legitimate use for P2P file sharing applications within the workplace. Downloading music and movies drains valuable network bandwidth, and the music and movie industries take a very serious and dim view of those who pirate copyrighted material. But 72 percent of the surveyed companies have not addressed this in their AUPs, and 78 percent have no perimeter solution.

These highlighted results are not based on a random sampling, but rather on proactive feedback from the IT community.

The conclusion from this survey is simply that a very high percentage of businesses of your size are leaving themselves open to employee abuse of network privileges and ultimately to trouble. This is apparently because whichever AUPs are in place are either ambiguous or incomplete, or there are no IT solutions in place to make sure employees abide by policies and company rules.

IT administrators don't always have time to put together an AUP, because they are historically thin on resources. As a result, the idea of implementing a solution to enforce the AUP becomes unappealing, because it is perceived to increase the burden already placed on IT. However, they should rest assured that robust filtering solutions that are easy to install, manage, and maintain are not myths but realities in today's technology marketplace.

SMEs need to understand what's at risk and thereby better equip themselves to meet threats head-on. The first step is to develop a Security Policy and an Acceptable Use Policy that support their business goals, and are detailed enough to include all the issues companies might encounter.

The next step is to acquire the tools and technology that can enforce them, and the procedures to undertake when enforcement is required. It's not hard, and whatever the cost, it's less than the cost of a major lawsuit or the damage to your business that can result from a virus or Trojan that has been unleashed on your network.