Most employees nowadays use the internet at work for a variety of reasons. Whether it’s personal finance, shopping or simply entertainment during lunch hours most people will spend a substantial amount of time online. However there is a significant risk to the employer from these activities particularly if people spend a lot of time posting or sharing information on forums and social media.
It is important that these risks are identified and can be mitigated by various methods including creating an internet usage policy. This should also include other internet activities which may effect productivity and network safety. For example the policy should cover other non-work related activities such as using a company VPN to watch BBC from Ireland like this.
Legal liabilities from defamatory postings by employees When a user registers with a site they typically have to indicate their acceptance of the site’s terms and conditions. These can be several pages long and contain difficult to read legal language. Such terms and conditions may give the site ‘ownership’ and ‘third party disclosure’ rights over content placed on the site, and could create possible liabilities for organisations that allow their employees to use them. For example, where a user is registering on a site from a PC within the organisation, it may be assumed that the user is acting on behalf of the organisation and any libelous or derogatory comments may result in legal action. In addition, information being hosted by the website may be subject to other legal jurisdiction overseas and may be very difficult to correct or remove.
Reputational damage arising from ill considered or unjustified comments left on sites may adversely affect public opinion toward an individual or organisation. This can lead to a change in social or business status with a danger of consequential impacts.
Malicious code targeting social networking users causing virus infections and consequential damage Sites may encourage or require the download and installation of additional code in order to maximise the site’s functionality and potential values. Where sites have weak or ineffective security controls it may be possible for code to be changed to contain malicious content such as Viruses and Trojans, or to trigger unintended actions such as Phishing. ~ Systems overload from heavy use of sites with implications of degraded services and non- productive activities Sites can pose threats to an organisations information infrastructure.
Particularly as the use of rich media (such as video and audio) becomes the norm in such sites, the bandwidth consumption generated by these sites can be significant and they have the potential to be the biggest bandwidth consumers within an organisation. o intimidation of employees from inappropriate use of sites leading to investigations How might the organisation respond to these risks?
Whilst there are technical controls that could be applied the main defence against threats associated with blogging and social networking is awareness related. Actions that may be considered by NHS organisations include: Deploying technical controls to block or control permitted website usage; – Revising and updating organisational policies to include acceptable use of blogging and social networking sites.
Policies and standards should be clear about the acceptability of accessing sites during working hours and from the organisation’s internet connected devices eg. PCs, mobile phones etc. The consequences of non-compliance with organisational policy should also be clear.