This article looks at some practical suggestions for businesses facing problems arising from staff misuse of IT.
Private and business use of technology seems to be becoming increasingly blurred. Gone are the days when all employees are office-based and work from computers belonging to the business. Many businesses now allow or indeed encourage employees to work from home occasionally or as a matter of course. The use of private mobile devices at work is also on the increase. How can the employer remain in control of the employee’s activities?
Our technology group has seen an increase in enquiries from businesses seeking to deal with the new challenges arising from misuse of technology by their employees. Concerns may arise from the amount of time (read the business’ money) employees are wasting on Facebook, or Twitter, and also from the content of postings by employees and how that reflects on the business. Technology may also be misused by a disgruntled employee in a far more calculated way to harm the business – by deliberately berating the business in a public forum (perhaps anonymously) or by downloading a database onto a memory stick to set up in competition, for instance.
Whilst you cannot prevent all forms of harm, there is actually a lot that businesses can do to minimise the misuse of IT by the employees. These are just a few thoughts:
1. Do you know who is using business equipment and who is using personal equipment to carry out their duties?
2. Do you have an adequate monitoring policy in place which allows the business to monitor email communications ?
3. Do you have a social networking policy? Some businesses prefer for instance to only allow employees to access Facebook for an hour at lunchtime.
4. What is the business’ culture in relation to the use of private mobile devices at work? Good old-fashioned floor-walking by line managers with appropriate and clear penalties for misuse can go a long way towards encouraging appropriate behaviour at work.
5. Are misusers of IT disciplined – are the right messages being sent out?
6. Are employees subject to adequate and appropriate restrictive covenants in their contracts of employment?
7. Is access to confidential information appropriately restricted and password-protected?
Prevention is always better than the cure, but occasionally a crisis arises and has to be dealt with. For instance, a disgruntled employee blogs anonymously about the business, perhaps revealing confidential business information. This activity can cause real commercial and reputational damage. Steps can be taken to bring it to a halt, and to seek redress. Generally speaking, in a crisis situation where real harm has been done or is suspected businesses should:
1. Escalate the problem immediately to the highest level and confine discussion of the issue only to those who “need to know” – usually the senior management team.
2. Not attempt to secure electronic evidence without first taking advice in case it is inadvertently damaged, potentially rendering it useless for the purposes of any subsequent criminal or civil case.
3. Protect customer/supplier relations – if an employee has done something to damage the business and third parties could be affected, the business must invest at a high level immediately in restoring the confidence of those third parties.
4. Take legal advice immediately so that the situation can be assessed at an early stage and an appropriate legal and commercial strategy implemented.