Personnel policies for an electronic workforce

Employees can often waste time emailing colleagues and surfing the net. What’s more, they could be damaging your business with...

Employees can often waste time emailing colleagues and surfing the net. What’s more, they could be damaging your business with their careless words

You need to identify exactly what the purpose of email and Internet access is for employees. Email should be used to relay information between employees and customers or suppliers. Web access should be seen as a tool for getting information from the world at large. Although email can be used as a quick, easy and reliable method of communicating, it should be recognised that it is not suitable for all occasions.

You should include what may or may not be sent by email. It is wise not to send confidential information (particularly matters pertaining to personnel) by email. Not only because it may be misdirected, but also because messages can be saved (at least temporarily) and may be recovered and read by other staff.

It is necessary to point out, particularly to those new to email, that anything they write in an email can be read by their manager, their system administrator and, potentially, the courts. Therefore, they must not write anything that could be considered libelous or in contempt of your employers. However, its worth noting that the government are currently considering changing the law in order to protect the rights of employees who wish to make personal phone calls and private emails from their place of work.

You need to set out what steps will be taken against employees who contravene the rules, whether this is by withdrawal of email privileges, an official warning or action taken against them. You need to do this to affirm the seriousness of breaches because the potential for damage to your business is enormous.

A sample policy, which should be signed by each employee, should support the overall network security program, including what steps are required of each employee and support staff, and what to do in the event of problems. It should also clearly outline what is and what is not appropriate behaviour and what the penalties are for breaches thereof.

It is vital to set forth guidelines for email conduct, netiquette as it is sometimes called. The problem is that because email can be instantaneous, people often see it as a soft or casual medium for communication. This can lead to sloppy grammar or spelling. This can lead to your staff being viewed as unprofessional or downright rude to your customers or other staff because they don't know how to use email appropriately. A good rule of thumb is for your staff to always write in a style that would be deemed appropriate if they were writing to the MD. They wouldn't use emoticons, or slang, in an email to the MD, so why would they do so to your best customer?

Also, be aware of the confidentiality or lack of it with email. Though you may correctly address a mail, it may be misdirected or sit in the system administrators in-box or be read by external companies. This is particularly important with email attachments. Since the Melissa virus, some companies have enlisted outside agencies to screen mail with attachments. While this shouldn't necessarily mean that the email is read by someone else, it does add another link into the chain of people handing over your documents. If you want to make a rule for confidentiality for email for your staff, you could suggest that if a document is of a nature which indicates that it would normally be sent by courier, then send it by courier rather than by email.

You could use encryption software which renders email unreadable without a decrypting key (this is sent, under separate cover, to the intended recipient). However, this method does require a certain amount of planning and forethought, as well as co-operation between the parties. It may also slow down email, robbing it of one of its major advantages over other means of communication.

If your employees have Internet access, controlled or otherwise, you will need to include a ruling on accessing online email. Because of the risk associated with infecting your systems with viruses, the downloading of email attachments from online email services should be prohibited. The rule also prevents employees from conducting trivial non-work related email conversations with their friends during work time.

It is a good idea to use your email policy to set out a group signature for your company. The IT Network, like most companies, has one that is modified according to the person's extension number and email address. This means that each email is signed off in a formalised style which encourages employees to think of an email as a document which must be taken seriously, both by the sender and the recipient.

Controlling content

You can also use products like Mailsweeper, part of the MIMEsweeper suite from Content Technologies, which provides protection from spam attacks, infection and data loss from email-borne viruses. Mailsweeper also mimimises the likelihood of legal liabilities arising from offensive email by allowing administrators to scan emails for offensive words or phrases before the email is sent.

Mailsweeper is content policy based, which means it automatically enforces your email and web policies. Content Technologies estimate that 38 per cent of all documents travel by email. This is a massive risk when you consider the consequences of disclosure of such documents. Companies like Ericsson and the BBC have learned the hard way that any association with pornography, racism or sexism can have a devastating effect on a company's image.

The MIMEsweeper suite enables you to prevent downloads from particular websites or from certain file forms (images etc). WEBsweeper, also part of this suite, protects from hostile attacks on your network from Internet content, particularly Java and ActiveX borne viruses which can denigrate productivity very quickly.

MIMEsweeper is only one of a myriad of products designed to protect your networks and control the content leaving and entering the company. Many are integrated with anti-virus software, designed to protect you from all areas of attack. One such product, ISS Security Suite, looks at the security measures you have in place, notes how effective they are and helps you create a more effective security programme.

Downloading files from the Internet, generally, doesn't tend to be work related. With the exception of instructional files on how to use software, news or technological developments, there are few things that can usefully be downloaded in the business context.

You may never be able to stop employees maliciously breaching email and anti-virus policies because there are so many ways this can happen and email is only one of them. You need to tackle the issue of unauthorised installation of software onto machines - a source of many software crashes as well as virus infections. But you need to find that line between laissez faire access and draconian rules that will stop people wanting to communicate.

However, its is important that employees are made aware of the responsibility that they have been given by being allowed email and Internet access. We often take it for granted. You get a PC and it has an Internet connection. It is on your desk and it is a tool ( like a pen or a stapler. Yet, this is the one tool that can affect every other networked PC and destroy customer relations in seconds, through an employee's misplaced comments. Staff need to realise that every communication tool has the potential to make or break a customer relationship and it is down to access the Internet and use email in the right way.

Rachel Hodgkins

Read more on IT risk management