Canadian Security Magazine

Enforcing Internet use

Neil Sutton   

News Data Security

{mosimage} It’s understood that employees are going to fritter away company time on the Internet. You do it. The people who report to you do it. Your boss probably does it too.

But eventually companies have to draw a line in the sand. Reading news
and e-mail is probably OK; downloading large music files probably
isn’t. Making these distinctions is pretty easy, but making them stick

Creating an acceptable use policy (AUP) is an exercise in diplomacy,
says Roy Wiseman, IT director for Peel Region, Ont. It’s not enough to
lay down the law and expect everyone to blindly obey, he says. “Quite
frankly, I think if your policies are too restrictive then you lose a
certain of credibility.”

The idea is to create a document that’s going to protect the organization but not patronize the users.

“Our approach tends to be to block things that are fairly obviously
inappropriate,” says Wiseman. An example would be gambling sites —
something that’s clearly going to eat up a lot of time and contribute
nothing towards job goals.


But “there are lots of other sites that are not primarily work-related
that we wouldn’t chose to block. We do allow what we would call
”˜occasional personal use’ of the Internet during work hours.”

The AUP document for Peel Region employees was created by a committee.
HR, IT, legal, audit and records management departments all have a say
in how the document is shaped. They meet once a month to update the
AUP; it’s a living, breathing document, says Wiseman, because it
reflects a medium that is constantly changing.

“I remember 10 years ago, there were discussions as to whether all
employees should be able to have access to the Internet. Those
discussions seem a little silly today,” he says. He describes today’s
AUP as “fairly lenient.”

There is the occasional grumbling from employees who feel it’s too
restrictive, but most people feel it’s fair. Only in the most extreme
cases would it be used to for disciplinary action: porn-surfing, for
example, is a legitimate grounds for dismissal.

A group of users with less say in the matter is high school students.
They are probably more savvy Internet users than the average Canadian
surfer, and more capable of doing harm to a network, whether it’s
deliberate or not.

They’re potentially “the enemy within,” says Don Reece, IT director for
Pembina Trails School Division in Winnipeg. “We give them the time, the
tools, the training and let them loose inside our network. We have the
unfortunate challenge of having to protect ourselves from the Internet
and ourselves from our users.”

It’s not like schools are cultivating hackers and criminals, but there
are factors at work in high schools that may not apply quite so broadly
in the outside world. Cyber-bullying, for example, can make a child’s
life miserable, and is just one of the “don’ts” spelled out in the
school division’s AUP.

“It took almost a year to look at other school divisions to develop a
policy,” says Reece. The school division doesn’t allow web-based
e-mail. Facebook is also blocked.

By contrast, access to Facebook and other social networking sites is
still allowed at Peel Region. The lines between social networking for
leisure and work purposes are blurring, explains Wiseman, and there may
be a legitimate reason for users to view such sites at work. Until
there’s a compelling reason to block them, they’ll remain available to
Peel workers.

Pembina is much more restrictive than Peel, but with good reason, says
Reece. Once a student has signed an AUP (if they’re under 18, it’s
signed by a parent), the document gives the school board some leverage.
If a student is discovered to be using the Internet for mischief or
worse, “the AUP becomes the foundation of the whole argument. We say,
”˜The reason we feel comfortable to talk to you about this is because
you signed the AUP.’”

It’s not mindless authoritarianism, says Reece, but a way of making sure minimum standards are met.

“The culture of schools is rules-based; probably more rules-based than,
I would say, the culture of business (which) is more

“It’s the culture, the spirit not hurting other people, not damaging equipment, not being a cyber-vandal,” he says.

Local police are occasionally brought into Pembina schools to reinforce
this culture — to teach students and teachers alike about safe Internet
use, and how to recognize cyber-bulling, online predators and ID theft.

“The goal of school is to help people generalize. We’re going to teach
you a strategy to help you learn how to problem-solve,” he says.

Positive reinforcement works in schools, but is also very applicable in
the business world, according to Telus’s chief security officer, Gene

For three years, the telco has provided a mandatory e-learning course
for its 30,000-plus employees. Everyone from entry-level employees to
high-level executives must take the online course, which takes 20-30

The president and CEO had to personally authorize the test and take it
himself. It was deemed a worthwhile use of employee time, and has paid
dividends, says McLean. It covers not only Internet use, but physical
security best practices as well.

“We get good feedback, and we roll the course out the following year
again,” says McLean. “That is one way to make employees aware of good
security procedures and make sure they get a chance to think about it.”

McLean is convinced employees aren’t looking to waste company time or
resources. They “have the best intentions and want to work hard” but
“sometimes they could get off focus, which is why you need a good set
of policies and procedures.”

The temptations are strong, according to Andrew Berkuta, senior
security evangelist at Santa Clara, Calif.-based McAfee Inc. Employees
have the means to surf the Internet and snoop around data files that
may be floating around an organization unprotected. “There is that
propensity to look at a directory you weren’t supposed to. People are
curious by nature.”

Berkuta says he’s a “big proponent of education,” but unlike Telus, not
all companies can afford to shell out for training. A solid APU is a
way to establish boundaries and enforce corporate policy. It boils down
to one thing, says Berkuta: “It’s CYA: cover your assets.”

Print this page


Stories continue below


Leave a Reply

Your email address will not be published. Required fields are marked *