The improper use of computer equipment by staff can represent a serious threat to any business, causing potentially costly losses in terms of productivity, reputation and copyright. Examples of employee computer misuse might include the viewing of pornography, intellectual property theft or the distribution of offensive emails.
Cyber skiving, the act of using a computer terminal for personal use during working hours is a particular problem, with one survey by Thomas Cook revealing that UK staff waste an average of 2.5 hours per day, equivalent to 75 days per year, conducting personal business such as checking emails or using instant messaging services. In addition, if an employee distributes negative or defaming material via their company network, in some cases it could be the company that is answerable in court for any loss or damages caused. For these reasons, it is important to introduce an auditing system to ensure that employee computer use is regularly monitored and controlled.
If your company is considering introducing such a system, the following steps should be taken. First, an Acceptable Use Policy (AUP) should be drafted and distributed to all personnel to ensure that they are fully aware of what activities constitute computer misuse. This policy should also prohibit employees from deleting email or internet history logs, so that detailed auditing can take place if necessary.
Second, if you intend to monitor email correspondence or internet usage, it is wise to make employees aware of this as employers are only permitted to monitor staff covertly in cases where unauthorised or illegal use of computers is already suspected. In addition, making your auditing policy public should also act as a deterrent against employees becoming involved in unauthorised behaviour.
While employers are quite within their legal rights to monitor business related emails, monitoring the contents of personal emails is considered a breach of an employee’s right to privacy. As such, it is wise to avoid generally monitoring content, and instead introduce a system where basic email details such as recipients, number of attachments and volume are monitored, and only investigate content where wrongdoing it suspected. Specialist software can be used to automate this basic monitoring process, which means that a manager would only need to become involved if the system flagged unusual behaviour.
Similarly, there is software available which can monitor which websites a staff member is accessing and raise a flag if an inappropriate site is visited, or if an employee is spending an exceptionally long period of time on a small number of sites. In this way, companies can choose to investigate the employee’s internet history only if they feel there is reason for suspicion.
If a serious case of computer misuse is suspected, however, it is wise to call in the assistance of a computer forensic analyst, rather than tackle the investigation alone as even turning a computer on can change the data stored within it. A computer forensics expert can ensure that the investigation does not involve contamination of the evidence which could lead to it being rendered inadmissible in a court of law or employment tribunal.
To summarise, as businesses become more reliant on computers, the risks posed by computer misuse also grow, so it is vital that an effective auditing policy is put in place to ensure that any cases of illegal or unauthorised actions are quickly identified.