Create an email and internet use policy

Silhouettes of people stood in front of panels of glass with 'SECURITY' written above them


Email and internet technologies have undoubtedly brought a whole host of opportunities and efficiencies to businesses. But, they have also introduced a range of problems and threats of cybercrime that you will need to manage

The 2019 UK Threat Report from Carbon Black revealed that 84% of UK firms had suffered a data breach during the previous 12 months and 90% of those surveyed believe that cyber attacks have grown more sophisticated.

It's important your business has an email and internet useage policy to clearly describe what constitutes acceptable use of your IT systems. Implementing IT usage policies can help you minimise some of the risks. For example:

  • Malware infections. For instance, Google's Safer Browsing service uncovers thousands of unsafe sites every day. Your policy should detail what kinds of sites your staff should avoid.
  • Misuse of staff time. Browsing personal websites like Facebook can hit an employee's performance. They could be wasting hundreds of hours each year, so your policy needs to set out what's acceptable.
  • Misuse of company resources. Are your staff storing music files on your server, or crippling your internet connection by downloading movies? Your policy should clearly describe what isn't allowed.
  • Liability. Inappropriate or illegal content on your network - especially pornography, racist or sexist material  - can create a hostile work environment and could ultimately result in a lawsuit. It's good for your policy to explain the issues at hand, so employees understand why following it is important.

Writing your email and internet use policy may not be an easy task. You need to balance the needs of your network and any legal requirements with the recognition that the internet is a part of your employees' everyday life.

For instance, if you wouldn't stop them making a quick personal phone call on work time, should you stop them sending the odd personal email?

The aims of your internet policy

Decide the goals of your email and internet use policy before you start writing it. Your company aims may fall into one of these two groups, or be somewhere in between:

  • Big family: you want to treat your staff like a family. This means you take a liberal approach with your policy and only aim to keep malware and inappropriate content off your network. You'll probably ban sites which are inappropriate or a common source of malware, but otherwise give your employees a lot of flexibility.
  • Big brother: you want to exercise maximum control. This approach involves banning your staff from all but approved websites, and usually involves severe restrictions on what employees can access. With the internet deeply ingrained in our day-to-day lives, it's harder to take this approach.

In practice, most companies are somewhere in between these extremes. It's a sliding scale - the further you move towards 'big brother', the more types of website you may block:

Policy Scale

Many companies implement more than one policy, to cover different times of day (working hours and lunchtime) or different categories of employee.

Writing your internet and email policy

Use clear, non-technical language when you write your email and internet use policy. People who are not technically-minded may have a different perspective on what constitutes misuse of your computer systems.

Similarly, they might be unaware of how their activities can cause problems - so put each rule into context.

Keep your policy as short as you can, to increase the chance of it being read and understood. And base it on simple principles that can be understood by technical and non-technical staff alike. As a minimum, include the following:

  • Personal internet use should be kept to a minimum. Some personal use may be acceptable, but it shouldn't affect the employee's ability to do their job.
  • Accessing pornographic, violent, abusive or hate sites should be banned.
  • Using the network to harass or bully other people should be a disciplinary issue.
  • Sending or posting online confidential material, trade secrets or proprietary information should be prohibited.
  • Sites deemed to be a security risk or which place excessive demands on the company's IT systems (like video streaming websites) should be avoided.
  • Staff should not put the company at risk of litigation for copyright infringement by downloading music, videos or software illegally.

You can base your company's policy on this list or use our free, sample IT policy templates and adapt them to your specific circumstances.

Remember that things change quickly online. Constantly adapting your policy to take new websites or technology into account would be impossible, so focus on articulating a set of guiding principles.

Finally, be sure to seek professional advice if you're unsure of what to include in your internet and email policy. Getting it right will help your employees and guard your company – so it's something that's worth spending a little money on.

Written with expert input from Craig Sharp of Abussi Ltd.

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.