But eventually companies have to draw a line in the sand. Reading news and e-mail is probably OK; downloading large music files probably isn’t. Making these distinctions is pretty easy, but making them stick isn’t.

Creating an acceptable use policy (AUP) is an exercise in diplomacy, says Roy Wiseman, IT director for Peel Region, Ont. It’s not enough to lay down the law and expect everyone to blindly obey, he says. “Quite frankly, I think if your policies are too restrictive then you lose a certain of credibility.”

The idea is to create a document that’s going to protect the organization but not patronize the users.

“Our approach tends to be to block things that are fairly obviously inappropriate,” says Wiseman. An example would be gambling sites — something that’s clearly going to eat up a lot of time and contribute nothing towards job goals.

But “there are lots of other sites that are not primarily work-related that we wouldn’t chose to block. We do allow what we would call ”˜occasional personal use’ of the Internet during work hours.”

The AUP document for Peel Region employees was created by a committee. HR, IT, legal, audit and records management departments all have a say in how the document is shaped. They meet once a month to update the AUP; it’s a living, breathing document, says Wiseman, because it reflects a medium that is constantly changing.

“I remember 10 years ago, there were discussions as to whether all employees should be able to have access to the Internet. Those discussions seem a little silly today,” he says. He describes today’s AUP as “fairly lenient.”

There is the occasional grumbling from employees who feel it’s too restrictive, but most people feel it’s fair. Only in the most extreme cases would it be used to for disciplinary action: porn-surfing, for example, is a legitimate grounds for dismissal.

A group of users with less say in the matter is high school students. They are probably more savvy Internet users than the average Canadian surfer, and more capable of doing harm to a network, whether it’s deliberate or not.

They’re potentially “the enemy within,” says Don Reece, IT director for Pembina Trails School Division in Winnipeg. “We give them the time, the tools, the training and let them loose inside our network. We have the unfortunate challenge of having to protect ourselves from the Internet and ourselves from our users.”

It’s not like schools are cultivating hackers and criminals, but there are factors at work in high schools that may not apply quite so broadly in the outside world. Cyber-bullying, for example, can make a child’s life miserable, and is just one of the “don’ts” spelled out in the school division’s AUP.

“It took almost a year to look at other school divisions to develop a policy,” says Reece. The school division doesn’t allow web-based e-mail. Facebook is also blocked.

By contrast, access to Facebook and other social networking sites is still allowed at Peel Region. The lines between social networking for leisure and work purposes are blurring, explains Wiseman, and there may be a legitimate reason for users to view such sites at work. Until there’s a compelling reason to block them, they’ll remain available to Peel workers.

Pembina is much more restrictive than Peel, but with good reason, says Reece. Once a student has signed an AUP (if they’re under 18, it’s signed by a parent), the document gives the school board some leverage. If a student is discovered to be using the Internet for mischief or worse, “the AUP becomes the foundation of the whole argument. We say, ”˜The reason we feel comfortable to talk to you about this is because you signed the AUP.’”

It’s not mindless authoritarianism, says Reece, but a way of making sure minimum standards are met.

“The culture of schools is rules-based; probably more rules-based than, I would say, the culture of business (which) is more responsibility-based.

“It’s the culture, the spirit not hurting other people, not damaging equipment, not being a cyber-vandal,” he says.

Local police are occasionally brought into Pembina schools to reinforce this culture — to teach students and teachers alike about safe Internet use, and how to recognize cyber-bulling, online predators and ID theft.

“The goal of school is to help people generalize. We’re going to teach you a strategy to help you learn how to problem-solve,” he says.

Positive reinforcement works in schools, but is also very applicable in the business world, according to Telus’s chief security officer, Gene McLean.

For three years, the telco has provided a mandatory e-learning course for its 30,000-plus employees. Everyone from entry-level employees to high-level executives must take the online course, which takes 20-30 minutes.

The president and CEO had to personally authorize the test and take it himself. It was deemed a worthwhile use of employee time, and has paid dividends, says McLean. It covers not only Internet use, but physical security best practices as well.

“We get good feedback, and we roll the course out the following year again,” says McLean. “That is one way to make employees aware of good security procedures and make sure they get a chance to think about it.”

McLean is convinced employees aren’t looking to waste company time or resources. They “have the best intentions and want to work hard” but “sometimes they could get off focus, which is why you need a good set of policies and procedures.”

The temptations are strong, according to Andrew Berkuta, senior security evangelist at Santa Clara, Calif.-based McAfee Inc. Employees have the means to surf the Internet and snoop around data files that may be floating around an organization unprotected. “There is that propensity to look at a directory you weren’t supposed to. People are curious by nature.”

Berkuta says he’s a “big proponent of education,” but unlike Telus, not all companies can afford to shell out for training. A solid APU is a way to establish boundaries and enforce corporate policy. It boils down to one thing, says Berkuta: “It’s CYA: cover your assets.”