Acceptable Use Policies
In today’s business world, computers are as ubiquitous as the pencil and paper of yesteryear. Most any type of business cannot function today without the use of computers in one fashion or another. It seems a paradox, then, that at no other time in history has the commodity of time been stolen and wasted by employees as much as today. These computers that were supposed to speed up our tasks and make us so much more efficient are being used as tools with which to waste more time than we could have ever been able to without them.
Imagine finding out that an employee has been wasting as much as 1-2 hours per day using the computer to surf the Internet or chat online with friends. As a supervisor, you let them know that his or her services are no longer required for obvious reasons. Mere days later, you are served with a Statement of Claim for wrongful dismissal. The claim? Nobody ever told this employee that they couldn’t perform such activities. This has been used successfully in the past. This sadly is the unfortunate byproduct of a legal system in a severely litigious society.
In order to respond to this type of travesty, we meet the challenge with a Corporate Acceptable Use Policy (AUP). Every company or entity with more than 1 employee (the owner) should have a strong AUP in place, and yet easily less than 40% of businesses have them. Most small businesses would say they aren’t big enough to need one, but our example above shows that even 1 or 2 staff members could cause problems such as this. Even worse, the smaller your company, the larger the impact from a frivolous lawsuit.
There should be no question that an AUP is a necessary and integral part of any business’s computing environment. Out of the less than 40% of companies that actually have an AUP, only about 10% are properly deployed. Experience, usually bad, teaches users what works and what doesn’t, and we have found in our investigations, that an improperly worded or deployed AUP is every bit as bad as no AUP at all.
A myriad of issues need to be addressed in any AUP, and we have tried to address the most important ones here. Obviously no two companies are alike, and any AUP will need to be adjusted accordingly.
The single most important consideration for any computer network must be security. Security above all else will dictate the freedom of access that any user will have over their computer. Most small businesses have nothing to govern the access their users have. A user can make changes to the computer, transfer data at will, and use the Internet to go anywhere they want, with no restriction. On the other end of the spectrum, high security installations, such as various branches of government, and R&D for large scale companies have extremely tight restrictions on what employees can do, and even go so far as to fill USB ports with epoxy so they cannot be used.
An AUP is not just for employees either. It needs to have direction regarding contractors that may use your network, either by sitting at your computers, or by connecting their own devices. Don’t forget employees that use their own computers on the corporate network.
Security is a double edged sword that must be considered. At one end of the scale is convenience, and at the other end is security. The trick is to find the balance at which the two work for a company’s applications. As well, it would be unreasonable to apply the same settings and rules to all computers in the network. Obviously the CEO, as well as a development department may need far greater access than a receptionist.
Having an AUP is not enough. We have seen cases where a wrongful dismissal case was successfully won because the employee stated that although they had signed an AUP upon being hired 2 years prior, they couldn’t possibly remember what it said. You cannot have an employee sign a piece of paper upon hiring and expect them to remember its contents forever. You must have the AUP deployed in such a way as to ensure the employees always have access to it.
The most efficient way to do this is to have what is called a “click through” notice. In order for employees to log on to computers, they must first click their acknowledgement of and agreement to the AUP. There should be a clickable link to the full AUP from this page. This completely eliminates the “I didn’t know” argument.
How Much Internet Access and When
There is no question that employees would be perturbed if they were not allowed any access to the Internet. Having said that, if the employee has no need at all to use the Internet for their daily role, then why have it? It is possible in many different ways for an employee to send and receive e-mail with no Internet access.
Arguments that have been brought up in court in the past have been things like how the AUP applies to coffee breaks, lunches, overtime, employees staying late on their own time, etc. While an unpaid lunch hour may very well be the employee’s time, the computer and network used to access the Internet still belong to the company. If the employee inadvertently infects the network and causes a great deal of damage and downtime, the virus won’t care if it was done on paid time or not. Purely from a security perspective, Internet activity needs to be strongly regulated no matter when the computer is in use.
Transferring of Data
Probably one of the most prevalent abuses seen in the corporate world is the theft of proprietary data. Very common also is the destruction of corporate data by a disgruntled employee. An AUP should outline what access, if any, an employee has to the data storage areas of the network, as well as what the rules are pertaining to removing it from the network. AUPs should address the deletion/destruction of files as well.
Any AUP needs to address the connection of external devices to the computer. Are employees allowed to use their USB thumb drives on any computer in the network? How about outside CDs or DVDs? A very common example of corporate espionage today involves loading a number of USB drives with malicious programming that will open a back door into the network. These USB drives are then randomly dropped somewhere where employees will find them, such as the coffee shop in the building lobby, or around the elevator on the company floor. This technique is more commonly known as “salting”. Human nature is such that the first thing we want to do is plug it into our computer to see what is on it. Once plugged in, it is too late, and the malicious programming automatically deploys. It is also possible to allow USB devices, but set the computers up so that data transfer is one way. In other words, users can move data FROM the device TO the computer, but not the other way.
Your AUP should give direction on what a user is allowed to change or modify on their computer. Most AUPs have a blanket policy that bars users from changing any settings. This is a good policy, but again this is one area in which a lot of damage can be done. By accidentally changing a setting (or intentionally), a user can cause thousands of dollars of damage to a network. Viruses can be injected into a system through something as innocent as changing a screensaver or the desktop wallpaper. A common monitoring program found in Windows networked computers can easily be shut off by a couple of mouse clicks.
Although an AUP should be an integral part of any network environment, it is not a panacea. It should be backed up with proper network administration. Most every issue I have addressed in this article can be further enforced by proper permissions deployment across the computers in the network. A very brief list of settings that can be controlled include:
- When the Internet can be accessed, if at all.
- What Websites can be accessed and which ones cannot.
- What settings a user can change on their computer.
- What programs can be accessed and when.
- What devices can be connected to the computer, if any.
Although some of the above may sound draconian, the employer must first ask themselves what they have to lose if the above is not followed. Without a properly advised and administered AUP the employer might also find themselves on the wrong end of Federal Wiretap Laws. Acceptable Use Policies have not developed simply because somebody had extra time on their hands. Sadly they have been born of necessity.
Note: The above information is the sole opinion of the author and NOT legal advice in any capacity. Seek legal advice from your attorney before acting upon any of the information contained in this article.
Kevin J. Ripa is the President of Computer Evidence Recovery, Inc, and has been involved in numerous complex cyber-forensics investigations. He can be contacted via his Website at www.computerpi.com.