Angels or Devils?

by David Haskin


Take a close look at what employees are doing with office technology, and you’re bound to be disappointed. Several studies have found that the majority of bids on auction sites such as eBay occur during working hours. Similarly, most hits at pornography sites occur between 9 a.m. and 5 p.m. Survey the sites most frequently visited from your company’s PCs, and it may begin to seem that the staff full of slackers, or worse.


Every business faces the same dilemma when it decides to connect to the Internet. A company can’t afford to have employees using the Internet to bid on Tiffany lamps or peruse pornography when they should be working. But what about checking their e-mail, or paying their health care bills? Different companies may have different ideas about what constitutes acceptable use. And it’s easy to be a hard-nosed authoritarian in the abstract, but a different matter to send the firm’s best employees packing because they violated the rules.


Still, unchecked employee use can drag down productivity and potentially cause legal problems, both for companies and their employees. It also can cost a bundle. “One common problem is people downloading and listening to audio files, which chokes your bandwidth,” says Vijay Balakrishnan, senior vice president of Telemate. Net Software, an Atlanta company that develops software to monitor Internet usage. “I’ve worked with companies thinking of adding an extra T-1 line when they didn’t have to. When they looked into the matter and found that it was a lot of personal traffic, they were able to stop it and they saved $15,000 to $20,000 in costs.”


Many businesses, large and small, already have addressed this problem. According to a workplace survey released in February by Jackson Lewis, a national employment law firm in San Francisco, approximately two-thirds of all companies have a formal policy regulating voice mail, e-mail, and Internet access. If you don’t already, it’s time.


GOOD COP OR BAD COP
When creating a policy, first think about what types of personal use are permissible. According to research by International Data Corp. 30 to 40 percent of Web browsing in the workplace isn’t business related. “We’ve caught people selling cigars off their company’s networks,” says Tim Bedard, product manager for Burlington, Massachusetts-based Elron Software, which develops software tools to help prevent employee abuse of the Internet. Michelle Drolet, CEO of Conqest Inc., an Internet security consultancy in Holliston, Mass., says that one of her clients caught an employee selling airline tickets from work.


But just because there are some offenders out there doesn’t mean all personal use is frivolous. Michael Lotito, an employment law attorney for Jackson Lewis, urges companies not to be too hard-nosed. “Say you’re on your break or it’s on your lunch hour and you want to send an e-mail to your spouse that you’re going to pick up the milk,” he says. “It might be okay to use the machine for those purposes.”


The depth and breadth of the policy will depend on how much the company wants to get involved in the details of employees’ use, and how much it wants to trust them. “We’ve seen policies ranging from a page or two to large documents with lots of details,” Balakrishnan says. “In either case, the policies can’t be Draconian, saying we’re watching your every move.”


Balakrishnan’s own company has a purposefully vague policy that calls only for “reasonable” personal use of the Internet. “The question is how you interpret the word ‘reasonable,'” he says. “It depends on the corporate culture you want to foster.”


But many companies desire more detailed policies. “Our policy is eight or nine pages,” says George Brandt, business manager of KBHK-TV in San Francisco. “We get very specific. One section covers general computer use, another is about e-mail, and the third is about the Internet. The policy specifically deals with issues like distributing pornography, posting slanderous material, and so on.” Brandt says he wrote two sections of his station’s policy and borrowed liberally from a template of a software company that provides monitoring software.


POLICIES OR POLICING
Consult with a human resources attorney to make sure the proposed policy will protect you from lawsuits. More than half of all workers exchange potentially offensive messages via e-mail, according to a study by NFO Worldwide, the American Management Association, and Vault.com. “If somebody else is looking at a porn site on their desk and somebody walks up behind them and is offended, you’ve violated federal law,” notes Eric Schmidt, chief information officer for the Bricker and Eckler law firm in Columbus, Ohio. “One of the tests of the law regarding sexual harassment in the workplace is whether there is an uncomfortable work environment.”


Of course, harassment-related issues aren’t limited to e-mail or the Web, so first make sure your harassment policies cover those other venues, counsels Lotito. Then, if e-mail and the Web aren’t covered, add them to your overall harassment policy, as well as to your appropriate-use policy. While you’re at it, he says, make sure the policy prohibits the leaking of confidential intellectual property and trade secrets, which can be easily done via e-mail.


Also, review existing policies on the use of business assets for personal purposes. After all, “borrowing” office supplies and using the company telephone for personal calls have long been problems, so chances are you already have a personal use policy in place. Of course, if you don’t already have such a policy, this is a good opportunity to create a single, uniform document that covers personal use of all of business assets.


The hardest part is deciding how closely you want to monitor employees’ behavior. Because the PCs belong to the company, employers that keep track of where employees go and what they do are well within their rights. On the other hand, you don’t want to create a police state. Especially if there isn’t a formal company policy in place.


“You want to be a good place to work, so you don’t want to create a spy type of mentality,” Lotito says. “But you do want to be up front. You tell people we’re paying you to do work and that’s what we expect you to do.”


TEACHING OR PREACHING
But simply creating a policy isn’t enough. You have to educate your employees about it. Schmidt says that the reason there have been no complaints or abuses at his firm is because the policy is clearly explained to all employees. “We’ve had no complaints or problems,” he says. “I attribute it all back to education. Communicating the policy and expectations will save you a lot of headaches.”


Drolet provides a horrifying anecdote that illustrates what can happen when you don’t educate employees about an appropriate-use policy. “We had a client that had a policy but never did education about the policy,” she says. “They had somebody who was in Gamblers Anonymous, and he reverted and started wracking up thousands of dollars worth of bets on line during company time. He’s suing the company, saying he didn’t know what the policy was, and the company enabled him to keep his addiction going.”


She cited another company that fired people for sending and receiving personal e-mail. The fired employees claimed they were treated unjustly because they never knew about the policy. KBHK-TV’s Brandt has a solution for that problem. “We make every employee sign a receipt for the policy that says they understand it,” he says.


Even after you roll out the policy, you must keep reminding people its existence and its purpose. At Drolet’s company, when someone logs on to the network, a window appears with an abstract of the personal-use policy. They must click an on-screen button to get past it.


ENFORCEMENT OR IGNORANCE
Creating the policy and making sure your employees know about it works most of the time. However, at some point, you must enforce it. Enforcement has two parts: Putting systems in place to catch the problem, and dealing with offenders.


The first is easy. E-mail filtering software typically posts on-screen messages when it detects offensive material, including Web sites. It then asks the user if she or he wants to continue. This acts as a deterrent because it reminds users that they are being monitored.


The next step is more difficult. If you catch someone who has violated your policy, you must discipline him. That activity, of course, must dovetail with all your company’s disciplinary procedures. Whatever your company’s enforcement policy, you should be ready to use it.


“Our language is that violations can result in discipline up to and including termination, at the company’s discretion,” says Brandt. Without this, the policy just won’t stick. “We find people put policies in place, but don’t put enforcement behind it,” Bedard says. “How good is a policy if you don’t enforce it?”


Furthermore, a policy must be enforced fairly and equally for all employees. Bedard adds that inappropriate use of computers isn’t just a problem with rank-and-file workers. “A lot of upper and senior management are doing things that are inappropriate, which makes it difficult to enforce at the lower levels,” Drolet says. “In one company, we found out that the CFO was spending two to three hours a day at pornography sites.” Enforcement cannot be arbitrary, or the entire point of the policy is lost.


Companies that don’t institute appropriate-use policies run significant legal and financial risk. But just putting the policy in place doesn’t mean the job is done. Drolet says she had an employee who was searching for a job on the Web. The company had to decide whether to keep her, and in the end, helped her find another job.


No one says this task is going to be easy. “Many small companies are dealing with a life or death struggle to survive, and these types of issues are not always the highest priority,” Lotito says. Putting the rules and structure in place is a great starting point, but it’s not going to magically solve every problem. In fact, it may make you aware of many problems you never knew you had. “Everybody wants a pill,” Drolet says. “But managers have to manage.”


HOW TO PLAY BAD COP
There are two main types of software tools that can help enforce your policy, both of which run on servers on your network. One monitors how your employees use the Web ­ what sites they visit, how often they visit them, and the total amount of time they are spending on the Web. It can also block access to certain sites. The other type of monitoring software manages use of e-mail ­ it examines messages for objectionable content and can either refuse to send the message or report it to the appropriate managers.


Both types of software should be intelligent enough to analyze the context in which a word or phrase appears. For instance, the phrase “breast cancer” may be appropriate, but the word “breast” alone may not be. Many companies make products to help control how employees use company e-mail and Web access. Among them are:


* InterScan eManager
Trend Micro Inc. (www.antivirus.com/ products/isem/) enables you to create rules to block offensive messages, as well as spam.


* MAILsweeper
Content Technologies (www.contenttechnologies.com) is a family of products that monitors e-mail usage


* MIMEsweeper POLICYplus
Content Technologies (www.contenttechnologies.com) is a sophisticated template that helps you create policies to govern your employees’ use of the Internet and e-mail.


* SmartFilter
Secure Computing Corporation (www.securecomputing.com) is a network-based Web-filtering solution.


* Websense
Websense Inc. (www.websense.com) is a network-based Web-filtering product.


HOW TO PLAY GOOD COP
Not all companies believe they need a strong policy governing appropriate use of computers and Internet access.


“I have to steer my company out of harm’s way, but the more you treat people like adults, the more mature they will be,” says Mike Magnani, owner and CEO of nVision East, a Manhattan multimedia company. “A hard-line policy makes you a parent.”


Magnani says that’s a particularly appropriate analogy because much of his workforce is comprised of young, artistic people who grew up with the Internet. “If you want to work with young people in this low unemployment environment today, you have to cut them some slack.”


Magnani’s company does have procedures for handling harassment issues, but the written policies require only that employees exercise good judgment when using company equipment and Internet access. Anything more stringent would hurt his business, he claims, because employees work long hours and are hard to retain.
A relaxed policy about using the Internet isn’t the only way Magnani says he’s trying to create a comfortable atmosphere. To reduce stress, he has built a climbing wall for employees, and he brings in a masseuse, a yoga instructor, and a personal trainer twice a week.

Small Business Computing Staff
Small Business Computing Staff
Small Business Computing addresses the technology needs of small businesses, which are defined as businesses with fewer than 500 employees and/or less than $7 million in annual sales.
Previous article
Next article

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.