Not too long ago in the long history of commerce, businesses began to buy computers to make their employees more productive. The idea caught on. Fewer employees got more work done in less time.
However, those first computers were functionally limited. There was no internet access and no ability to use them for anything other than their intended purpose. There was no online shopping, no personal email, no Facebook, and no IM. In general, it was a pretty boring machine. There was no reason to turn it on when you weren’t working.
Today, in addition to being a productivity tool, a computer also has the potential to be a great time-waster. Employees can now use the same computer to shop, bank, communicate with their friends and play games, as well as for work. You hope that most employees will exercise appropriate discipline. However, to employees just joining the workforce and who grew up with technology, computer use so much a part of their lives that it’s as natural as breathing. Have you explicitly told your employees what the rules are for using your business computers? If you haven’t, don’t expect them to know.
Loss of productivity is not the only risk from personal use of business computers. Social networking sites are more prone to viruses and spyware that might infect computers on your network. This could affect the availability of your systems for other users, the loss of data, or even a security breach. Could one of your employees be involved in online activity that could be considered offensive or illegal? You probably want to be able to demonstrate that they do not have your permission to use your business computers for this activity.
The proper way to notify employees of your expectations is through publication of an Acceptable Use Policy (AUP). This document should spell out the employee’s basic responsibilities with regard to your computers and the rules for their use. You should require your employees to review and sign this document annually and keep the signed document in their personnel file. That way you have effectively established that you communicated the policy to each employee. That will come in handy if you ever need to discipline an employee for misuse of your computers. Their #1 defense would probably be that they did not know they were doing anything wrong. You can end that discussion! This document could also be invaluable if any third-party feels that they have been harmed by your employee’s actions.
So, what should be in your Acceptable Use Policy? The actual content is beyond the scope of this article, but I suggest that you “google” the term and you will find some AUP templates and samples that will give you a start. Typically, an AUP will have some basic principles stating that the computer is provided for business use and that you have the right to monitor its usage through any available tools to validate that it is being used for its intended purpose. The AUP would also spell out the employee’s responsibility to protect the IT assets under his control and the company’s systems and business data. This would include protection of passwords and the requirement to lock the computer when leaving it unattended.
Usage rules would cover any illegal activities including copyright infringement. Another good rule would be to prohibit the possession of confidential information from another company unless that company has specifically disclosed that information to you. Your employees will consider the policy pretty draconian is they are never allowed to use the computers for any personal activity. However, you should spell out the rules you think are appropriate for your situation. You may want to limit personal use to specific times of the day like breaks and lunchtime, and specific activities that are less risky. Some risky activities like P2P file sharing or possession of objectionable materials should never be allowed. Whatever personal use that you allow, you should make it clear that you are not responsible for the security of the transaction and the employee uses your computer at their own risk.
The final thing is to include a section that states that violation of these policies will be subject to disciplinary action up to, and including, termination. If subcontractors use your computers or systems, you may need to tweak the wording to include removal from the account or termination of the contract.
I recommend that you keep it as short and crisp as possible. It’s probably a good idea to run it by an attorney. A good AUP can save you from some pretty severe headaches and is well worth the time and effort.