Many UK employees have either never heard of their company’s acceptable use policy (AUP) for computers or choose to ignore it, according to a survey by open source security vendor SmoothWall.
While 70% of the companies surveyed claimed AUPs were important for security, 40% of the 300 employees polled said they were unaware of its contents when asked.
The biggest AUP-breakers are employees using non-approved applications, with personal email access the main offence. Just over 60% of employees saw no problem in using webmail systems such as Gmail, Hotmail or Yahoo while at work, despite the risks of doing so. Instant messaging applications were found to be used regularly by 41% of employees.
On the same track, Skype is a growing theme, with more than 20% of employees surveyed firing up the VoIP application to make calls. Skype calls are encrypted, presenting an obvious regulatory risk in some companies, and the application itself is considered almost impossible to detect once it has set up a call connection. If such calls detect suitable bandwidth, a network can become riddled with bandwidth-consuming Skype super-nodes, used to relay calls from less well-provisioned clients.
More than third of employees admitting to browsing the internet for reasons not related to work. Most of this did not happen during lunch, and approximately 40% of respondents shopped from their desks during work time.
SmoothWall managing director George Lungley says the root of the problem is that companies don’t properly communicate AUPs beyond getting employees to sign up to them in their employment contract.
“They are not enforcing it [AUPs] or applying any sanctions as they would enforce health and safety policies,” he says. “This survey suggests it’s more than a hardcore minority.” Instead of handing the problem over to remote HR departments, AUPs are better communicated — and less likely to be ignored — if they are made the responsibility of line managers, he says. Anecdotally, more UK companies appear to be adopting new approaches to enforcing AUPs. Some organisations allow workers to use designated computers for web access during specified hours, while others remind people of the AUP every time they log on.