IT Strategy and Planning

Training Users to Stop Killing Your Business IT

Print
Check out this page on Dell.com! Email
Rate
1 out of 5
2 out of 5
3 out of 5
4 out of 5
5 out of 5

By: Andy Patrizio (1/31/2011)

It's an age-old problem for employers: dealing with employees using company resources for personal activities. Up until a few years ago, the worst offenses might be using the phones to take or make personal calls, but in an era of the Internet, and with people bringing their own devices to work, the issue has become one of much greater concern. While firms fear insider damage and attacks, the truth is employees are far more likely to do something innocently and without malice. But that doesn't mitigate what could be a very damaging incident. Compounding the headache is the fact that more firms are letting their employees provide their own technology. So you have to control the use of a product that isn't even your own. At the very least, employees wasting time on Facebook or playing "Angry Birds" might choke your network or get nothing done. The much greater issue is one of security, especially from social networks. Never before have managers had to deal with potential emails coming into the office that could allow malicious software to infect the network and potentially steal trade secrets or intellectual property. At the same time, some of you may need to provide your employees with access to some of these services. If your company lives and dies by its good name, then you can't ignore negative comments on social networks. Who wants to tell the CEO that while your company was being trashed on Facebook for whatever reason, you were unable to respond because Facebook access had been cut off due to employee goldbricking? Plus, you don't want to be a Killjoy Tyrant who clamps down with an iron hand and refuses even a little leeway. It may be an employer's market these days, but being too intrusive into their daily activities will still kill employee morale and drive people away. At the same time it would be foolish to be weak. A careful balance must be found. "It's education versus personal autonomy. The historical antecedent in terms of cost, which was far less of a threat in terms of cost, is personal phone calls," says Geoff Woolacott, analyst with Technology Business Research. You need to set some level of expectation for employees, but Woolacott says trying to regulate Internet and personal usage is like throwing rocks in a stream: Water finds its way around it. Education is the answer, starting with setting expectations. Employees must know what is expected of them, and just sticking the rules in an employee policy handbook — that no one ever reads until after something happens — is inadequate. Secondly, the levels of expectation of fair and proper use must be set according to each department's requirements, notes Woolacott. Companies should establish benchmarks on usage but at the same time respect privacy until such time as users break through the thresholds. "Think of it as an IT dashboard," he says. "Based on this descriptor of employee function, we will allow X percentage of use by desktops in these areas. An engineer shouldn't be out there doing that stuff. Your marketing/communications staff should be out there [on social networks] X percent of the time. Your secretaries, we won't flag until they reach 10 percent of usage, let's say." It's also possible to configure the intranet firewall to provide proactive messaging from IT to users to avoid hitting questionable sites before they even get there. That way you catch people on the way out, rather than after they get to a potentially offending site. Finally, basic common-sense education needs to be conveyed. People need to know not to double click on any attachment sent by someone they don't know, or even from someone they do know but were not expecting. It seems like common sense, but that can be sorely lacking. Setting a flexible level of expectation can go a long way toward giving employees the tools they need to do their job, the privacy and some trust they deserve, and the chance to unwind for five minutes if need be. It's something to be done early and often, because the threat and usage landscape are constantly changing. For more information, see: Facing Up to Insider IT Security Risks Why More Companies Are Exploring ‘Bring Your Own Tech’ Policies Does Social Networking Really Pose an Enterprise Security Risk?

It's an age-old problem for employers: dealing with employees using company resources for personal activities. Up until a few years ago, the worst offenses might be using the phones to take or make personal calls, but in an era of the Internet, and with people bringing their own devices to work, the issue has become one of much greater concern.

While firms fear insider damage and attacks, the truth is employees are far more likely to do something innocently and without malice. But that doesn't mitigate what could be a very damaging incident. Compounding the headache is the fact that more firms are letting their employees provide their own technology. So you have to control the use of a product that isn't even your own.

At the very least, employees wasting time on Facebook or playing "Angry Birds" might choke your network or get nothing done. The much greater issue is one of security, especially from social networks. Never before have managers had to deal with potential emails coming into the office that could allow malicious software to infect the network and potentially steal trade secrets or intellectual property.

At the same time, some of you may need to provide your employees with access to some of these services. If your company lives and dies by its good name, then you can't ignore negative comments on social networks. Who wants to tell the CEO that while your company was being trashed on Facebook for whatever reason, you were unable to respond because Facebook access had been cut off due to employee goldbricking?

Plus, you don't want to be a Killjoy Tyrant who clamps down with an iron hand and refuses even a little leeway. It may be an employer's market these days, but being too intrusive into their daily activities will still kill employee morale and drive people away. At the same time it would be foolish to be weak. A careful balance must be found.

"It's education versus personal autonomy. The historical antecedent in terms of cost, which was far less of a threat in terms of cost, is personal phone calls," says Geoff Woolacott, analyst with Technology Business Research.

You need to set some level of expectation for employees, but Woolacott says trying to regulate Internet and personal usage is like throwing rocks in a stream: Water finds its way around it.

Education is the answer, starting with setting expectations. Employees must know what is expected of them, and just sticking the rules in an employee policy handbook — that no one ever reads until after something happens — is inadequate.

Secondly, the levels of expectation of fair and proper use must be set according to each department's requirements, notes Woolacott. Companies should establish benchmarks on usage but at the same time respect privacy until such time as users break through the thresholds.

"Think of it as an IT dashboard," he says. "Based on this descriptor of employee function, we will allow X percentage of use by desktops in these areas. An engineer shouldn't be out there doing that stuff. Your marketing/communications staff should be out there [on social networks] X percent of the time. Your secretaries, we won't flag until they reach 10 percent of usage, let's say."

It's also possible to configure the intranet firewall to provide proactive messaging from IT to users to avoid hitting questionable sites before they even get there. That way you catch people on the way out, rather than after they get to a potentially offending site.

Finally, basic common-sense education needs to be conveyed. People need to know not to double click on any attachment sent by someone they don't know, or even from someone they do know but were not expecting. It seems like common sense, but that can be sorely lacking.

Setting a flexible level of expectation can go a long way toward giving employees the tools they need to do their job, the privacy and some trust they deserve, and the chance to unwind for five minutes if need be. It's something to be done early and often, because the threat and usage landscape are constantly changing.

For more information, see:

Facing Up to Insider IT Security Risks

Why More Companies Are Exploring ‘Bring Your Own Tech’ Policies

Does Social Networking Really Pose an Enterprise Security Risk?