Skip to main content

Top tips for creating and implementing an effective web usage policy

Through ignorance and casual surfing behaviour, your network users can too easily put themselves and your business at risk. Web usage education and competent technology are the solutions, but who has time to teach everyone how to use email and the Internet safely?

Your web usage policy document is the training manual that keeps your network, corporate data and company reputation safe, but only if it is followed. The tips below contain all the key points you need to know, but don't forget to download the full guide to creating an effective web usage policy (opens in new tab).

Step 1 - Explain the risks and consequences of threats

Make sure your end users know about security risks and the possible consequences of a breach. Give them the tools and awareness to stay protected against the following types of threats:

Phishing: A constant threat that can fool even the most savvy Internet users. Its threat is not understated and social engineering is making it increasingly dangerous.

Viruses and malware: Anti-virus and anti-malware software has improved over the years, yet viruses still cause havoc, from wiping corporate information and stealing data, to shutting down critical systems. Do not be responsible for something like this.

Malicious websites: Alongside phishing, websites with illicit intentions distribute viruses, malware, and pose as fake versions of banking, social, corporate and other login-based websites. If your staff stop paying attention, they could give away coveted login details.

Trojans: You would not leave your business premises physically unlocked, so why allow cyber criminals to walk through the digital equivalent?

Legally risky websites: Copyright infringement, illegal gambling, pornography, hate sites –individuals can face prosecution for illegal activity such as file sharing and piracy, as can your business.

Step 2 - Show what is being done to protect your staff and business

Give your staff an overview of what is being done to protect them and the company's interests, such as a simplified list of the technology platforms at the heart of your corporate network:

Network security: The range of technologies, strategies and best practice methods that keep staff protected from those looking to harm them digitally.

Firewall: Blocks access into the network from outside sources, except those that have been classed as trustworthy.

Anti-spam filtering: Stops viruses, malware, spam and other email threats from flooding inboxes while keeping email relevant, safe and productive.

Web content filter/logging: Blocks access to risky sites; alerts when access is attempted by accident and ensures staff are aware of what is allowed and what is not.

Monitoring bandwidth usage: Guarantees efficient use of company resources, detects problems and helps IT management plan for growth periods and new technological developments

Step 3 - BYOD: What is monitored, logged and protected? What is not?

Are your staff using mobile devices through the company network or via non-company networks, such as a mobile phone data network?

Your policy should explain what is inside the control of the organisation and what is not. For example, some staff may not be aware that mobile phone network access and Wi-Fi access are two different things. They should understand Wi-Fi is provided locally by the business, but mobile data networks are provided by the telecommunications supplier so they are not exempt from legally-risky content.

If staff are not made aware of the difference, they may inadvertently access websites at work that they feel comfortable accessing from home without realising they are using the corporate internet.

Step 4 - Make sure the policy is read

Write in plain language without jargon. Give staff an incentive to read your policy document and to start taking action. Start with some tips outlined in the Cialdini Principles of Persuasion. (opens in new tab)

Adding a multiple choice questionnaire to the final page with a desirable prize for the top scorer and penalties for failure will encourage staff to read the document. Simply sending the scores to line managers may even be enough to get compliance.

Regardless of method, ensure it is signed for the sake of legality.

Step 5 - Be flexible without compromising security

Web filtering software and cloud platforms let you relax access policies outside working hours and during lunch periods if desired. By now, staff should be aware of the risks and take evasive action when needed.

Ensure there is a clear explanation of when security is relaxed and when it will be in force again.

Step 6 - Improve policies based on your newly empowered employees

Try setting up an internal mailing list so staff can warn each other of new threats and suspicious links. Facilitate and provide helpful feedback and encouragement, and they might surprise you with their ability to detect scams and other malicious activity. It also makes your reporting process easier.

Again, downloading the full guide to implementing an effective web usage policy (opens in new tab) for a further explanation of these principles in highly recommended. In less than 20 minutes, you could have your new policy lodged firmly in your employees' minds and signed for full digital protection.

Geraldine Hunt is project manager at SpamTitan Technologies (opens in new tab), a global provider of enterprise-level email and web security solutions.