Caught in the web

Workplace culture: Managing employee Internet use requires a standard acceptable use policy and sensible web access controls.

By the time the city of Edmonton released its first report on employee Internet use in February, three workers were history and two more were under investigation. Their offence? Accessing material such as porn, gambling, extreme violence and hate websites from their office computers. But the report revealed 164 city workers spent at least 17 hours per month visiting sites unrelated to their jobs. And all this mischief occurred despite an Internet use policy, and software meant to block objectionable content.

“Any time you tell people what they can’t do, they’re going to find a way to do it,” says Chris Higgins, a work/life expert and professor at the Ivey School of Business in London, Ont. A survey conducted by Harris Interactive Inc., a market research firm based in Rochester, N.Y., shows 61% of employees browse non-work websites for an average of three hours per week. Despite the abuse—and high-profile crackdowns, such as the government of Ontario’s surprise ban on networking site Facebook, in May—more than one-third of Canadian companies lack web access controls, according to a poll developed by Robert Half Technology, an IT staffing agency.

That oversight invites productivity losses, bandwidth problems, computer viruses and inappropriate material. The threat of litigation poses an even greater risk, says George Goodall, an analyst at London-based Info-Tech Research Group. “We talk a lot about managing users, but it’s as much a matter of managing the bread crumbs that users leave behind,” he says. E-mail and instant messaging trails can be traced to provide powerful evidence in court.

But don’t rip the cables out of the wall to protect your company. Effective IT management starts simply enough with a standard acceptable use policy, Goodall says. The policy should set out Internet access rules and needs employees to consent to having their online activities monitored and, if necessary, recorded for future review. Employees must be informed prior to monitoring to conform to federal privacy legislation. Companies can set up a blacklist to block undesirable sites, or a whitelist, which grants access only to pre-approved sites. Penalties can be set for those who circumvent the controls.

Ideally, upper management should let workers determine the best fix, but employees must get a reasonable amount of personal time. “Otherwise, employees are going to start taking vacation days and sick days and being late,” Goodall says.

In Edmonton, city auditor David Wiun, whose office compiled the February report, says web access remains open to news, sports and weather sites. But blocking software was enhanced, and users now see the IT policy when they log on. Reception has been positive. Higgins favours a simpler approach: set aside two hours in the morning and afternoon solely for work—no phone, e-mail or web. “The rest of the time, do what you want on other job-related tasks,” he says. Just remember to point out that online poker is still a nine-to-five no-no.