In today’s business world, computers are as ubiquitous as the pencil and paper of yesteryear. Most any type of business cannot function today without the use of computers in one fashion or another. It seems a paradox, then, that at no other time in history has the commodity of time been stolen and wasted by employees as much as today. These computers that were supposed to speed up our tasks and make us so much more efficient are being used as tools with which to waste more time than we could have ever been able to without them.

Imagine finding out that an employee has been wasting as much as 1-2 hours per day using the computer to surf the Internet or chat online with friends. As a supervisor, you let them know that his or her services are no longer required for obvious reasons. Mere days later, you are served with a Statement of Claim for wrongful dismissal. The claim? Nobody ever told this employee that they couldn’t perform such activities. This has been used successfully in the past. This sadly is the unfortunate byproduct of a legal system in a severely litigious society.

In order to respond to this type of travesty, we meet the challenge with a Corporate Acceptable Use Policy (AUP). Every company or entity with more than 1 employee (the owner) should have a strong AUP in place, and yet easily less than 40% of businesses have them. Most small businesses would say they aren’t big enough to need one, but our example above shows that even 1 or 2 staff members could cause problems such as this. Even worse, the smaller your company, the larger the impact from a frivolous lawsuit.

There should be no question that an AUP is a necessary and integral part of any business’s computing environment. Out of the less than 40% of companies that actually have an AUP, only about 10% are properly deployed. Experience, usually bad, teaches users what works and what doesn’t, and we have found in our investigations, that an improperly worded or deployed AUP is every bit as bad as no AUP at all.

A myriad of issues need to be addressed in any AUP, and we have tried to address the most important ones here. Obviously no two companies are alike, and any AUP will need to be adjusted accordingly.

The single most important consideration for any computer network must be security. Security above all else will dictate the freedom of access that any user will have over their computer. Most small businesses have nothing to govern the access their users have. A user can make changes to the computer, transfer data at will, and use the Internet to go anywhere they want, with no restriction. On the other end of the spectrum, high security installations, such as various branches of government, and R&D for large scale companies have extremely tight restrictions on what employees can do, and even go so far as to fill USB ports with epoxy so they cannot be used.

An AUP is not just for employees either. It needs to have direction regarding contractors that may use your network, either by sitting at your computers, or by connecting their own devices. Don’t forget employees that use their own computers on the corporate network.

Security is a double edged sword that must be considered. At one end of the scale is convenience, and at the other end is security. The trick is to find the balance at which the two work for a company’s applications. As well, it would be unreasonable to apply the same settings and rules to all computers in the network. Obviously the CEO, as well as a development department may need far greater access than a receptionist.

Deployment Considerations
Having an AUP is not enough. We have seen cases where a wrongful dismissal case was successfully won because the employee stated that although they had signed an AUP upon being hired 2 years prior, they couldn’t possibly remember what it said. You cannot have an employee sign a piece of paper upon hiring and expect them to remember its contents forever. You must have the AUP deployed in such a way as to ensure the employees always have access to it.