PCs

Stamp out personal use of company Internet access, or... the policy everyone loves to ignore

Offer your clients guidance in defining and implementing a "no personal business" policy for corporate PCs.

 The one thing that seems to never change, yet continues to surprise me, is the wishy-washy management attitude toward using company PCs for personal business. Shockingly, some companies still give almost unchecked Internet access to their PCs in light of a few simple facts:

  • It only takes one visit to one Web site to pull down an entire system. It sounds extreme, but it does happen.
  • With today's technology, you can practice safe Interneting. It isn't hard or even terribly expensive, but it does require consistent management.
  • With today's technology, you can easily find and eradicate (... and don't let the door hit you in the ...) employees who think the rules don't apply to them.

Your main concern is maintaining a healthy computer system, but this problem affects more than IT. According to Douglas Schweitzer, in an article in for SAP News, the "International Data Corp. estimated that 30% to 40% of employee Internet use isn't work related. And according to Nielsen/NetRatings, 92% of online stock trading occurs from the workplace during work hours and 46% of online holiday shopping takes place at work."

Perhaps more disturbing is the use of business PCs to visit pornography sites. According to SexTracker, 70% of traffic to pornographic Web sites occurs between 9:00 A.M. and 5:00 P.M. Not only are employees putting the system that you maintain at risk, they're using employee time to conduct personal and often unsavory business!

As a competent consultant, you must help your clients create a policy that states and enforces the following mandate: No one can use company PCs for personal use -- no one, nothing, not even a quick look at the online news every morning -- nothing! Is that too strict? Possibly, and in the end, you must let your client have a little reign on this one, but in return, the client must help you protect their system with an established policy and no-nonsense repercussions for employees who refuse to adhere to that policy. Your job is to help your client define, adopt, and enforce this policy.

Step 1: Define the policy

Creating an Internet-use policy is a collaborative effort. As always, you advise, but your client decides. There are three possibilities: No access, limited access, and complete access. Help your client determine the monetary commitment and repercussions of each level. This is a good time to analyze the costs of an open-Internet policy. After all, if nothing bad or terribly expensive has (yet) happened, it might be difficult to convince your client that a more aggressive and expensive approach is necessary.

Step 2: Adopt the policy companywide

Inform everyone of the new policy and then supply them with a copy and be accessible for questions. Then, purchase and install the tools to enforce the policy because you know some folks are going to ignore it. Block access to all but authorized sites and install tracking software. In addition, if you haven't done so already, block unauthorized downloads. If that all sounds a bit too much like Big Brother, you might be in the wrong business -- seriously. (I'd like to see a discussion on the policies and tools you use to inhibit and track Internet access and downloads.)

Step 3: Enforce the policy

Enforcing the policy is really out of your hands. You advised your client in step 1, but it's up to your client to act. However, you might help distinguish between an intentional breech and an accident (and that does happen -- I can't even describe what I managed to pull up the other day while searching for a specific author during a work-related task). Accidents aren't the only thing you'll have to consider -- knowledgeable employees can participate in subterfuge.

Let me share a personal experience in this area. A certain Fortune 500 client has a sophisticated surveillance room where employees keep an eye on critical areas of the building. During an internal audit, pornography files were found on one of the local systems in the surveillance room. There was some discussion of firing everyone in surveillance -- three shifts worth of employees! I opposed that decision because the local drives in the surveillance room were part of a larger network. This meant that any employee with the right knowledge could've downloaded those files from another location in the building. Proper tracking software wasn't in place so there was no definitive way to know who initiated the download. In the end, they put a letter in each guard's personnel file, which I also officially opposed. There was no evidence that a guard downloaded those files. Without evidence, it was nothing more than a lesson to their internal IT management that they weren't getting the job done.

Be prepared to acquire a curmudgeon reputation among your client's employees once you take a stand on the issue, but being popular isn't your goal. In my opinion, the best policy is a closed one -- business PCs are for business use, period.

TechRepublic resources about Internet usage policies

Get weekly consulting tips in your inbox TechRepublic's IT Consultant newsletter, delivered each Monday, offers tips on how to attract customers, build your business, and increase your technical skills in order to get the job done. Automatically sign up today!

About

Susan Sales Harkins is an IT consultant, specializing in desktop solutions. Previously, she was editor in chief for The Cobb Group, the world's largest publisher of technical journals.

25 comments
johntheadams
johntheadams

Companies, through their draconian rules against personal Internet use are wreaking havoc upon e-commerce businesses, and like outsourcing, this policy has a ripple-effect upon the economy as a whole. Capitalism, you see, is not a rational system, and the players in charge aren't rational people.

Wild Card
Wild Card

I like to block non work related sites when I see them getting too much traffic in Websense. No one complains, because they know they shouldn't be there in the first place. Then they all just move to the next site. It's a wonderful game of cat and mouse. The mouse runs this way and I put out my paw. The mouse runs the other way and I put out my other paw.

hard working
hard working

I had two viruses on my computer that were contracted accidentally, and my IT manager blocked my from entering an educational site. The site that i received the virus from is still accessible. I log on usually on my luch hour; not on my company's time. I wanted to know is this sort of "big brother" technique is legal. Any suggestions would be helpful.

kjcscw
kjcscw

Have you encountered a workplace where personal use PC's, smartphones, etc. can be brought in by employees and connected over a public, unsecured network?

reisen55
reisen55

My wife's school district has gone the draconian route of denying even outside emails into the system. I have always felt there is a good meeting place: tight security, user education and recognition of human nature. Good security: WebSense to screen out porn and such sites from the accidental discovery. Any user who goes to porn regularly should be disciplined instantly and second offense = termination, or do you want a sexual harrassment lawsuit? User Education: Conduct informal coffee-klatsch classes with your people, let them know how dangerous sites work and teach them proactive steps. There are only a few to know and use but they are vital. Such as taskmgr and terminating iexplore.exe before it does damage. Human nature: we are not mindless robots and cannot work 8 to 10 hours a day and not have a lunch break. I encourage a few things for such times, such as the wonderful www.1164.com. Visit this one, and you'll find a great web page on BeWitched and all those Hollywood backlots we know so well.

Tony Hopkinson
Tony Hopkinson

coming in or going out, either one would be easier, and at least success or failure is easily determined. At work if I go to TR, am I using it to chat with my perers or find something out? If I go to MSN is it for work or for a pet project? Far too many make up policies about what you can do, far too few about what you shouldn't The further up the hierachy you go, the less likely any policy will be enforced. Educate your people. Respect your people as fellow professionals You'll get better results than donning your jackboots and kicking the ass of some poor underpaid and seriously bored pleb as an example. If someone is dumb enough to download porn at work, don't sack them for violating internet use policy, sack them for be too stupid to pour water out of a boot.

RFink
RFink

No personal use on company's computers, no business use on my personal computers.

mrwebguy
mrwebguy

I too have run into many clients who have issues with enforcement and in turn issues with discipline. I have written upwords of 25 different computer use policies and seen them handled very well and very poorly. You bring up a good point in showing accidental use versus intentional. A prime example is someone researching foot powders for a medical study and then stumbles upon a site about foot fetishes. Your log shows 1 hit to the site for 30 seconds before the next page is loaded that's back on topic. This is obviously an accident. Now, compare that to a person who comes in 20-30 early in the morning and you see 15 minutes of surfing "How to work on my motorcycle" or ebaying for parts for their car. This would be a deliberate misuse of company property and should result in some level of disciplinary action. One of the goals of someone in IT is really to educate co-workers of potential hazards when navigating the web, particularly on networked systems. The IT infrastructure guys know that it's in their job to block as much harmful material as they can but as we all know, there are so many variants that catching everything is impossible. Great story.

CharlieSpencer
CharlieSpencer

It's the company's computer and internet connection. They can enable or disable as much or as little as they wish. It's not 'big brother'; it's their equipment. Suggestions? Learn the difference between censorship and private property.

NotSoChiGuy
NotSoChiGuy

Only way to be safe from corporate 'Big Brother'! Attention Woody Harrelson. Paging Woody Harrelson. We have a zombie on the loose! :)

MPITIL
MPITIL

Back while working for a gov't health agency, we had problems with the draconian measures. We couldn't geto to some breatfeeding sites that we needed to link to ours or medical sites that showed peope exercixing (the outfits were too skimpy an triggered something). They finally had to let up a little and trust the staff a bit more.

santeewelding
santeewelding

You have such a charming way of cutting to it. I'm looking, but I'm not finding any way to contradict you.

Sterling chip Camden
Sterling chip Camden

A lot of online activity is in a gray area between work-related and non, especially now with blogs and forums that can easily go off- topic. Tell your people you expect them not to abuse their Internet privileges, and then consider how well they comply in the same way you review all their other contributions and use of time.

minstrelmike
minstrelmike

I work for the Federal government. They block access to YouTube. Two years ago, I thought that was a good thing--it only has time-wasting videos on it. Nowadays, I get flashed with WebSense when clicking on articles in ComputerWorld and InformationWeek. They post vids of Ballmer's talk or demonstrations of handhelds in action on YouTube now and not only can I not watch them, I get in trouble just for clicking on links (and I'm a computer professional). People who wish to waste time can do so with or without a computer.

JustinF
JustinF

If someone does a little internet shopping, checks their email or TV guide, bus times, a couple of bank transactions or whatever over the course of a day so what? If they spend a significant amount of time on personal use or if they are looking at inappropriate material then there is a cause for alarm. The work/life balance is a grey area these days so some personal usage of email/internet & phone should be allowed.

ssharkins
ssharkins

I think you're right -- it is impossible to catch everything. All we can do is put the right tools in place, use them deligently, and be prepared to deal with problems as they arise. You know, that kind of caps IT in general. :)

ssharkins
ssharkins

I agree -- some people need flexibility to do their jobs. You'll have to allow for that. I couldn't work without the Internet. On the other hand, employees who don't need the Internet to do their job shouldn't even have access via a work computer, but that's impractical at best.

Tony Hopkinson
Tony Hopkinson

from a works PC, not with so many arseholes asking how they can get keyloggers on their employess PCs so they can see what they are doing. Access my hotmail on occasion certainly, bear in mind, you have no right to privacy doing so if it's on company kit.

NotSoChiGuy
NotSoChiGuy

...lest I incur the wrath of the Websense Gods! ;) Thanks!

ssharkins
ssharkins

If unauthorized use wasn't a problem, would we be having this discussion? I agree that a lot of problems can be solved with education and the right tools. But, in the end, the business has to protect itself -- bottom line is, if employees screw up, the business suffers. It's a special deal really. It's one of the few areas that overlap between the business and personal worlds.

Da Saint
Da Saint

The same folks who don't trust you to use the internet correctly are the same folks who don't trust their employess to telecommute.

Tony Hopkinson
Tony Hopkinson

There is doing your job and there's not doing your job. It's nice and clear to me. The so called gray bit is attempting to validate that through a selection of urls. The imprecison in such stupidity is the real problem. I got blocked from one site because the person with a potentially useful code, also had his bio on there and some family stuff including some pictures of them as a teen. I can't download Vista widgets on MS's site, because some of them are blocked as well.... Direct and incontravertible proof of either stupidity or a complete lack of trust.

JamesRL
JamesRL

I know personally all the people in the country who can access my PC, so I don't have a worry about keyloggers. Our PCs get scanned everyday, and the moment a rogue program is detected, people are quickly notified. And my company doesn't provide me a credit card for travel, and I pay my hotel bills and other travel expenses (other than airfare) and get reimbursed. So I do use my bank. I know that if my bank is using SSL the monitoring services can't see what I am sending, though they know where I am going. James