Acceptable use policies likely need a refresh if you have not updated them in the last couple of years.
Acceptable use policies are not new; many employers have them. However, policies may overlook some aspects of acceptable use of emails, the Internet, computer systems, and other information and technology (I&T) resources. More importantly, the threat landscape has changed, and many employers are addressing (or avoiding) employees’ use of tools like TikTok and artificial intelligence (AI), including ChatGPT. Old risks, like the omnipresent and sustained threats from phishing and other social engineering, have not abated.
As an example, while TikTok is a social media platform and employers may already have a social media policy, those policies may need to address TikTok’s specific privacy and security risks. Many businesses and government agencies in Canada or abroad have an outright ban on TikTok (and WeChat) on employer-owned devices, whereas they may not ban Facebook or other platforms.
Similarly, employers may already have a policy covering employees’ Internet use but may need a policy on using artificial intelligence websites, like ChatGPT, for work purposes. Employers in very small businesses may regard AI as a “big company problem”, but smaller entities are not immune from risks. Although these smaller employers may not be developing AI software or other products, their employees could be using ChatGPT or other third-party services that run on AI. What business data are these employees sharing with ChatGPT? Do they know how to safeguard privacy and data integrity when using AI? Do they understand the risks and ethical issues involved?
Likewise, employers in the health sector may have overlooked an Internet of Things (IoT) policy for critical connectable devices. In reality, connected devices are inescapable in most homes or offices in one form or another. They run the gamut from smart insulin pumps in hospitals to smart TVs, smart doorbells, and printers—basically, any equipment that can communicate with the Internet. Password and network access policies may neglect procedures for these types of devices. For instance, a core internal control prohibits manufacturer default passwords to avoid vulnerabilities.
Policies and procedures may need updating to address acceptable use of the following:
- I&T systems, as they relate to connected devices or (IoT) and remote and other work;
- Email, to avoid phishing and other social engineering;
- The Internet;
- ChatGPT and other AI, including ethical, intellectual property, and privacy considerations; and
- TikTok, WeChat, and other social media platforms.
Meeting your duty of care
Update acceptable use policies and procedures to keep pace with current threats. Review recent and upcoming updates to the Information and Technology database in PolicyPro, including Chapter 13 – User Responsibilities, which addresses relevant controls.
Policies and procedures are essential, but the work required to create and maintain them can seem daunting. The Finance and Accounting, Operations and Marketing, Not-for-Profit, and Information Technology databases in PolicyPro, co-marketed by First Reference and Chartered Professional Accountants Canada (CPA Canada), contain sample policies, procedures, checklists and other tools, plus authoritative commentary to save you time and effort in establishing and updating your internal controls and policies. Not a subscriber? Request free 30–day trials of Finance and Accounting, Not-for-Profit, Operations and Marketing, and Information Technology databases in PolicyPro here.
- Improve order processing to avoid downstream problems - April 3, 2024
- Overdue accounts finance your customers’ businesses - March 6, 2024
- Gift acceptance: Sometimes a gift costs more than it is worth - February 7, 2024
Leave a Reply