Internet misuse by staff affected a majority of large businesses in the last year, according to a government report, while even some small companies reported hundreds of email abuses per day.
The Department of Industry's 2006 Information Security Breaches Survey found that two-thirds of large enterprises reporting at least one misuse incident in the last year, with one in five of all companies were affected overall.
Of the worst incidents of misuse, 41 percent involved staff accessing inappropriate Web sites and a further 36 percent related to excessive Web surfing. The most serious of such incidents involved access to illegal material; for example, several companies reported incidents of staff accessing child pornography.
Businesses were warned their reputations could be damaged by staff Internet misuse.
"Companies without an acceptable-usage policy are in difficult territory in telling staff what is appropriate or inappropriate. If their staff send out or post inappropriate content, that can have a knock-on effect on a company's reputation," Chris Potter, co-author of the report and partner at PricewaterhouseCoopers, told ZDNet UK.
"It's very important that organisations define what is acceptable because different people can have different views on what actually is acceptable," said Potter. "A number of companies in the survey had staff sending out profane messages or confidential information to the wrong organisation. In one case a disgruntled employee took an entire copy of the customer database and emailed it to a competitor," he added.
Companies should have a clear acceptable-use policy, according to PwC, and should make sure they are scanning inbound and outbound mail. One in six companies currently scans outbound mail, the survey found.
"A lot of companies don't scan outbound email for inappropriate messages. People should implement software that monitors Internet usage and blocks access to inappropriate sites, as this can let people know quite gently that they are doing something wrong," said Potter.
"Over half of UK businesses don't have this technology, and they are probably missing staff misuse. Unfortunately, with this you only need one or two bad apples to spoil the whole barrel."
The survey was carried out on behalf of the DTI, and was sponsored by Microsoft, Symantec, Entrust, and Clearswift. Potter said that the research was carried out and analysed independently.
"The sponsors may have a vested interest, but we also had input from independent reviewers such as the National Hi-Tech Crime Unit and the University of London. It was absolutely critical that this set of results be accurate."
"Clearly with any set of results it is possible to put a spin on, but the underlying figures don't lie. We sought to involve leaders in information technology to make the results as useful as possible," said Potter.
A spokesman for the DTI told ZDNet UK "It's our survey, but we don't have control over third party endorsements. There's lots of stakeholders you would consult, and the big players need to be involved. The bottom line is that this is a DTI survey, and the DTI sponsored it."
The survey will be launched at Infosecurity Europe in April 2006, in London.