Everyone does it, so it can’t be wrong, can it?

Who hasn’t used the corporate network and company PC to surf non-work related websites, or to send web-based e-mail with riotous attachments to friends and family? This stuff is hard to resist, and many employees probably think that the IT department needs to lighten up.     

But, alas, the fun isn’t always clean, and the seemingly harmless "goofing off" can have serious consequences that can lead to disciplinary action, including the firing of employees who breach company policy.    

The problem is that Internet misuse eats bandwidth and consumes data storage space that could be used to actually run the business. And it’s not always true that under-stimulated employees merely surf cute and harmless websites to escape their blighted Dilbert existence, rather than actually burning the place down — clearly an even less desirable outcome.   

For instance, if male workers routinely access porn sites, they may expose a corporation to liability and charges of harassment from female workers who don’t appreciate the racy humour. In the U.K., an audit of workplace PCs by security firm PixAlert discovered that more than a quarter (25.8%) of the 10,000 PCs scanned contained pornography or other inappropriate images.

On an equally depressing note, the 2006 Department of Trade and Industry's (DTI) Information Security Breaches Survey found that employee misuse of Internet resources was the second largest cause of reported security incidents, after viruses, for large U.K. companies.

The reason is that employees playing computer games, or gambling online, can inadvertently download malware — malicious computer code — that cuts a hole right through the firewall. And downloading unauthorized applications at work, such as plug-ins, to enhance your personal surfing experiences can lead to a mile of trouble as hackers increasingly probe web-based applications for vulnerabilities.   

But simply having a policy outlawing such behaviour isn’t a magic recipe for success.

The DTI survey also found that 63% of all U.K. companies surveyed, and 89% of large firms, had an IT-acceptable usage policy, but employees still ran riot, although it noted that far more U.K. companies have an IT-acceptable use policy than an information security policy, bad news in itself, as the link between the two clearly hasn’t been made, or communicated to employees.

So what should you be doing to keep employees in line, without starting a mutiny?

The legality of workplace monitoring tools is not clear-cut. Generally speaking, especially in the private sector in Canada, employers can use technology to ensure that at least someone is actually working at least most of the time, and for compliance with a variety of workplace related laws.

But an employer must have a “reasonable” and legitimate purpose for collecting the information, and an acceptable use policy that clearly sets out, in plain English, what is permissible and what is not, and the ramifications of non-compliance. Employees must sign off on the policy, and less is invariably more; the Canadian data privacy commissioners tend to take a dim view of employers "over-reaching." They especially dislike "continuous" workplace surveillance, or employee monitoring that is unrelated to a legitimate business purpose.

But some employers are fighting back. The University of B.C. has appealed an order by the B.C. Privacy Commissioners’ office that rebuked them for using monitoring software to track the workplace habits of an employee who spent up to four hours a day surfing non-work-related websites, including sites for job seekers.

He was fired by UBC for wasting company time and general tardiness. The basis of the appeal is that the order prevents UBC from investigating employee misconduct; UBC also claims that warning employees before firing them — as suggested by the privacy commissioner, is impractical.

The decision may provide some much needed clarity on where employers need to draw the line.