by Scott Lewis
Technology, computer networks, tablets, laptops and software, we all need them to run our businesses. If done right, it can be competitive weaponry to ensure that your business remains a leader in the industry and competitive for the future. Is all this technology though, putting our organizations at risk? Do we really know what our employees are doing, and where do you draw the line in the sand and say, that is not acceptable on our system?
This is always a huge topic of discussion when I perform technology auditing. Companies are trying to give employees a broad sense of freedom when it comes to mixing personal with business. Employers are also recognizing that employees spend more time at work than they do at home, so they are really putting forth an effort to be more family friendly and not to be the computer police. However, this friendliness can be unintentionally putting your organization at risk because sooner or later someone is going to make a mistake, someone is going to go to the wrong website and something bad is going to happen. Then, the discussion is going to be based around why didn’t we or couldn’t we better protect ourselves.
As employees continue to mix business with personal there is bound to be a certain level of misuse and this will create liability issues for the company. The types of exposures can vary widely along with the liability. According to an American Management Association survey, 28% of employers who fired employees due to misuse of email did so for the following reasons: 64% for violation of the company policy; Inappropriate or offensive language 62%; excessive personal use 26%; breach of confidentiality 22%; other 12%. When it comes to Internet usage, 30% of employers who have terminated employees for misuse have done so for the following reasons: Viewing, downloading or uploading inappropriate or offensive material 84%; violation of company policy 48%; excessive personal use 34%; other 9%.
According to the American Management Association, only 43% of companies monitor email, of those, 73% use tools that automatically monitor email and 40% designate a person who manually reviews email. A higher level of concern around how email correspondence is being used in litigation is increasing the need for companies to have a high visibility in how they manage and monitor email and Internet traffic. The courts are now accepting that email and other electronically stored data is considered a valid business record and in some cases contractually binding. It is estimated that 24% of companies have had email and electronic records subpoenaed by the courts, and almost 15% have been involved in court cases that were caused by employee email.
There are a number of steps companies should be taking to protect themselves. Many companies resist these because they want to remain employee friendly and they don’t want to limit their employees. Then, there is the trust factor. However, anyone that has ever been involved in a human resources situation knows that trust can only go so far.
1) Be very clear with your employees on what your company policy is regarding email and Internet usage make sure that you draw clear lines between business use and personal use and make sure that you write it down.
2) Have security awareness training and explain the reason for the policy and the monitoring of email. This will help validate the policy and show your employees that you are not simply trying to keep them off the Internet.
3) Make sure that you explain that the company is reserving the right to monitor and review all emails and Internet traffic, and they should have no expectation of privacy.
4) Make sure that your policy includes and forbids the use of email and Internet for harassment, treating behavior, obscene or offensive behavior, pictures, language or other illegal behavior.
5) Although not legally required in private companies, you should consider having long term email storage and retention policies and implementing the technology that would allow for long term email storage.
6) Ensure that you explain, train, and write down your policy around how you deal with confidential information.
7) Implementation of Web Filters, Email Filters, Content Filters to automatically manage and enforce your policy.
8) One of the most important steps is to make sure that your employees sign the policy. This is the teeth behind the words, but make sure that they understand it and are not just signing it.
In today’s world where we can hide behind our computer screens, it is important that companies have the means and the policies to protect themselves in regards to electronic communications. There are precedence in the courts where electronic communications have cost companies millions of dollars in litigation fees and fines and it is simply because there were no policies, no processes and no monitoring of how employees were using your technology. In most cases your normal business insurance does not protect you in electronic communication cases, so along with having written and agreed upon policies and procedures you need to review your insurance coverage and make sure that you have a cyber-insurance policy.
Scott Lewis is the President and CEO of Winning Technologies Group of Companies. The Winning Technologies Group of companies is an international technology management company. Scott has more than 30 years of experience in the technology industry, is a nationally recognized speaker on technology subjects such as Collocation, Security, CIO level Management, Data and Voice Communications and Best Practices related to the management of technology resources. Learn more about Winning Technologies at www.winningtech.com or call 877-379-8279.
Submitted 8 years 152 days ago