The vast majority of workplaces today use the internet to one extent or another. According to Eurostat, 91% of EU enterprises with 10 or more employees have a fixed-line broadband connection. While organisations benefit from increased digitisation of the workplace through cost savings, increased productivity and a more mobile workforce, internet use also opens them up to more cyber security risks. As previously mentioned, attackers using malware will try all they can to gain access to sensitive information.
The starting point for mitigating such risks is to have a well-thought-through Internet Acceptable Use Policy.
What is an Internet Acceptable Use Policy?
An Internet Acceptable Use policy tells you how you may use the company’s Internet facilities, it outlines your personal responsibilities and informs you what you must and must not do. The objectives of an Acceptable Use Policy are to direct all users of the internet facility by:
- Providing guidance on expected working practice
- Highlighting issues affecting use
- Describing the standards that users must maintain
- Stating the actions that may be taken to monitor the effectiveness of this policy
- Warning users about the consequences of inappropriate use of the internet service
Often the policy will state that the Internet facility is made available for the business purposes of the organisation where a certain amount of personal use is permitted in accordance with the statements contained within the policy.
Helps Mitigate Against:
Loss of reputation due to inappropriate use of internet facilities by staff
Lack of compliance against legal or regulatory requirements, which could impose significant fines on the company.
Malicious electronic attacks using the Internet as a route into the network
Business Use of Internet
While performing tasks at work, your Internet account should be used in accordance with your company’s acceptable use policy. The provision of Internet access is owned by your company and all access is recorded, logged and interrogated for the purposes of:
Monitoring total usage to ensure business operations are not impacted by a lack of capacity
Monitoring and recording all access for reports that are produced for line managers, auditors and internal security staff
Except where it is strictly and necessarily required for your work, for example, IT audit activity or other investigation, you must not use your Internet account to:
Create, download, upload, display or access knowingly, sites that contain pornography or other “unsuitable” material that might be deemed illegal, obscene or offensive.
Subscribe to, enter or use peer-to-peer encrypted or non-encrypted networks or install software that allows sharing of music, video or image files.
Subscribe to, enter or utilise real-time chat facilities from non-work platforms.
Run a private business.
Download any software that does not comply with your organisation’s Software Policy.
What is An Email Policy?
An email policy tells you how you may use your work email address, including what information you can and cannot send. It applies to all users of the facility whatever the means or location of access, for example, via mobile devices or outside of the office.
As an example of a best practice, all emails sent from an organisation’s address usually remains their property and are considered to be part of the corporate record. In this case, any information emailed from a company account will be considered official communications. Your organisation would thus have the legal right to monitor and audit the use of email by authorised users as part of assessing compliance with this policy. The extent of this auditing depends on the legislation for the sector or region you work in.
Rules of sending and receiving emails
Particular care must be taken when addressing emails that include classified information, as it could be accidentally transmitted to unauthorised recipients. The auto-completion feature of some email platforms where the system prompts a recipient based on characters typed in so far, poses a great risk to the integrity of a company's information security management.
Users should avoid sending unnecessary messages to distribution lists, particularly those with wide circulation such as the “global list” of all employees. Where required, emails should be sent via the organisation’s communications department, and not to a direct mailing list. Official organisation email addresses and facilities should never be used to send material that infringes on the copyright or intellectual property rights of another person or organisation.
If you receive unsolicited junk email or spam, it is advised that you simply delete the messages without opening them. You should never reply to the email, as this will prompt the sender to send even more emails. One to also watch out for is the fact that in the past hackers have used the 'unsubscribe' button in a spam email as a trap to infect malware on your organisation's network.
Ways to avoid letting your email address become the entry point for a cyber attack
Don’t reveal personal or financial information in an email, and do not respond to emails asking for this information. This includes clicking on attached links.
Before sending sensitive information over the Internet, check the security of the website. Particular attention should be made to the URL.
If you are unsure whether an email request is legitimate, try to verify it by contacting the organisation directly. Use the information provided on an account statement, rather than credentials provided in the email.
You must never open any attachments you believe may contain a virus and if you have been sent one, report it to the IT department of your company. Most organisations ban their employees from downloading data or programmes from unknown sources.
In many organisations, email usage within the organisation system is monitored and recorded in order to plan and manage resource capacity effectively, assess compliance with policies and procedures, ensure that standards are maintained, prevent and detect crime, and investigate unauthorised use. For example, most companies will have a data loss prevention, or DLP programme operating on their email system. This software will automatically block the sending of emails containing potentially sensitive information, and flag them for inspection by IT services.
Cybercriminals have become tech-savvy in their attempts to lure people in and get you to click on a link or open an attachment. For example, they can appear to come from a colleague and contain information that may be of interest such as salaries and bonus levels, or unannounced changes to the company. These messages can often urge you to act quickly with fake warnings to your account such as 'Your account has been compromised.
If unsure about the legitimacy of an email, contact the person directly, hover over the reply address or hyperlink in the message to see the email address or webpage they link to, contact the company using the information provided on an account statement etc. and search for the company online.
Got any questions regarding Internet Acceptable Use Policy and the importance of having these policies for your organisation and would like to find out how we can help? Click on the button below and a member of Sytorus will be in touch.