The modern workplace is often a casual one, as more companies explore the possibility of flexible working hours, informal dress codes, and the use of both social media and personal devices during working hours. However, what ramifications could a casual workplace have for cyber security if things become too lax? We spoke with Aisling Byrne, Associate at Cleaver Fulton Rankin, about cybercrime and what companies can do to protect themselves while allowing their employees the freedom that encourages a healthy working environment.

Are there any commonplace activities people might engage in that are, in fact, against cybercrime legislation? If so, what kind of penalties do these activities have?

The most damaging examples of cybercrime for employers that we have come across involve scam emails. Employees are conned into transferring money to an account that is not legitimate, often resulting in major financial loss for employers when the money cannot be traced or recovered. Very often the employee is innocent or simply careless and may not be in breach of cybercrime legislation per se.

In the unfortunate event of a scam as outlined above, in most cases an investigation will be initiated and in some, may result in disciplinary action being taken against an employee. An employer must ensure, however, that employees have received training in relation to identifying scam emails. Employers must also ensure that cybercrime is covered in policies and procedures and that any disciplinary action taken is reasonable and consistent.

The most serious consequences for employees involved in cybercrime would arise under the Computer Misuse Act 1980, as amended, which creates the following criminal offences:

  • Unauthorised access to computer material – liable on summary conviction to six months’ imprisonment, a fine, or both
  • Unauthorised access to computer materials with intent to commit or facilitate commission of further offences – liable on summary conviction to six months’ imprisonment, a fine, or both
  • Unauthorised acts with intent to impair, or with recklessness as to impairing, the operation of a computer – liable on conviction to six months’ imprisonment, a fine, or both
  • Impairing a computer such as to cause serious damage – tried on indictment and punishable by life imprisonment if the damage is in respect to life, loss of life or national security, or to 14 years for damage to the economy.

How should companies approach constructing a social media policy that allows their employees to post online without risking the company’s information?

Social media activity is a minefield for employers. Every business should have a social media policy in place which sets out what activity is permitted and what is prohibited. For example, a policy should state explicitly that employees are not permitted to disclose information that is confidential to the employer.

Some employers will go so far as to insist that employees are not permitted to disclose the identity of their employer in any social media activity while others view it as an essential marketing tool. It very much depends on the type of workplace and attitude of the employer. It is also vital that employers are crystal clear that inappropriate social media activity outside the workplace using personal devices may also result in disciplinary action where it causes damage to the employer.

How can companies minimise the security risks posed by outside devices and employee activities?

Many employers will have an IT policy in place which outlaws the use of personal electronic devices in the workplace. It is also advisable that employers prohibit the transfer of any work-related information to personal devices and that no non-work related emails or internet usage are permitted using an employer’s devices. Taking such steps will assist in reducing an employer’s exposure to viruses, spam email, and cybercrime.

What are companies entitled to do in terms of monitoring their employees’ activities?

Employers can monitor employee communications provided that certain requirements are met. Employers should first and foremost consider their obligations under the Data Protection Act 1998 (DPA) and, in particular, bear in mind the principles of the Information Commissioner’s Employment Practices Code (EPC). The EPC provides that covert monitoring can rarely be justified and would only be permissible in situations where criminal activity is suspected. Under the DPA, data must be processed fairly and lawfully and so employees should be advised if monitoring is being carried out and, if so, for what purpose.

It is advisable that employers should introduce electronic communications/IT and social media policies if they have not done so already which clearly set out the circumstances in which monitoring will take place.

What are the possible ramifications for companies that cross the line when monitoring their employees’ activities? What legal rights do employees have?

Employers could be in breach of the DPA and an employee could make a complaint to the Information Commissioner. Employers could also find it difficult to discipline and, in extreme circumstances, terminate an employee’s employment where monitoring has been covert and the employee’s understanding was that they had a reasonable expectation of privacy in relation to their use of the employer’s electronic communication systems.

Learn from Destiny Bertucci, Network Monitoring Head Geek at SolarWinds, about what you can do to safeguard your company from cyber threats, what red flags to look out for, and the importance of training your staff.


Looking to learn more about cybercrime in the workplace? Patrick McCallum from Wright Hassall LLP talks about how companies can minimise security risks from outside devices and when monitoring employee activities crosses the line.