As a huge Marvel film buff, I was always tickled by the comment made by Black Widow to Captain America in "The Avengers" regarding Norse hero Thor and his adopted brother Loki: "These guys come from legend, Captain. They're basically gods."
The quote appealed to me as an IT professional since we do seem to amass several god-like skills to do our work such as unlimited system/physical access, administrator rights, and the ability to bring about, or take away, things such as servers or software. It's humbling being an end user without these special powers, I can attest.
Another Marvel quote comes from the Spiderman movies: "With great power comes great responsibility." Sometimes great power gets misused irresponsibly in IT. Now, I have as much of a sense of humor as the next guy, and I understand that some funny business in the workplace can be a morale booster when it remains tasteful and appropriate (think memes or light-hearted joking).
However, when the line gets crossed into irresponsible behavior, professionalism and productivity - not to mention trust - can be adversely impacted. Here are five examples of crossing the line and what management can - and should do - about it.
1. Practical jokes
Practical jokes using computers are probably the most popular IT shenanigan in the office. The internet is rife with tips on how to fool coworkers whose systems you hold power over. From changing their desktop wallpaper to something confusing or inappropriate, playing rude sounds on their speakers or otherwise sabotaging devices or systems, practical jokes can be a major impediment upon the target employee - particularly if the group they need to go to for help is the one causing them.
Often said jokes are enacted using administrative credentials on the part of the offender to access the destination system. To curtail this sort of activity, you need policies and monitoring in place. TechRepublic's sister site, Tech Pro Research, has an acceptable usage policy which can define what systems are to be used for - and which can specify that inappropriate access for non-business purposes is an action subject to discipline.
Of course, this means there has to be a way to know about this sort of activity, so a centralized logging and alerting solution like Splunk can help achieve that. Often when another user accesses a Windows system there is a corresponding event in the local logs which can then be linked to an alert which notifies the appropriate personnel. The alert can be tailored so that it only goes out if the user logs into a system other than their own.
What if said "appropriate personnel" receiving the alerts are the very same people pulling off the joke? If you're the boss, make sure the alert includes you (and/or security) and follow up on such alerts to determine the reason behind it. Sometimes just knowing said alert exists will deter negative behavior.
2. Inappropriate use of access privileges
IT personnel often have access to the entire office space in order to be able to diagnose or repair systems or provide entry to those who do. The same applies with having domain administrator/root access privileges.
This can turn into a nightmare if system administrators "go rogue" and access confidential or personal information owned by others which is not relevant to their jobs. They might also log in with other accounts to impersonate users or cover their tracks (deleting event or system logs is another potential problem).
Once again, event logging and alerting for both system and physical access (such as when the data center is entered) can help here, but if you're in charge of receiving and interpreting these alerts you may find yourself swamped, especially if administrators are merely doing their jobs by restoring a confidential file for finance, for example, and then opening it to confirm it has the right data.
This is where a dedicated ticketing system to track all work requests can come in handy. If a ticket matches the file being restored in the previous example you know it was legitimate. If there's no corresponding ticket, however, an investigation may be in order.
SEE: 10 bad habits cybersecurity professionals must break (TechRepublic)
3. Social media misuse
The danger of social media is that it's always present and available and people use it consistently throughout the day or evening, which means inappropriate or confidential material related to the company might end up on Twitter, Facebook, Instagram or any other public outlet.
This might be something as relatively innocuous as posting a picture of drinking a beer in the office, or it might involve a post referring to company activities that shouldn't be publicly discussed, such as dealing with certain problem users and derogatorily referring to their behavior, making negative remarks about organizational rules or regulations or sharing details about company systems or security settings which could conceivably be used for malicious intentions.
A social media policy can define what actions employees should take in such situation and what topics or areas they should steer clear of.
4. Redefining reality
This one is not necessarily endemic to IT alone, but can happen across various fields. This refers to misrepresenting things which have occurred to exaggerate or revise history.
For example, it might involve claiming it took four hours to fix a server when in reality it took one hour and the other three were spent playing foosball. A new boss might be told that "our old boss used to take us for happy hour drinks at the downstairs bar every Friday" when no such habit existed. An employee might have a coworker badge in for him so the access will show he was present at work, when he's actually home sleeping. The list goes on.
As the boss, you can't always detect every dishonest statement - I can say it would be very hard to dispute the four-hour versus one-hour server repair claim since no two repair jobs go the same way. But certainly you can reduce the risk of these tall tales with concepts such as an employee handbook (which might help verify whether the "having drinks on Friday" story is legitimate) as well as policies involving badge usage, time tracking of work, attendance guidelines, and so forth.
SEE: Corporate gaming policy (Tech Pro Research)
5. Slacking off
When you work in IT and can control who accesses what on the internet it's possible to turn slacking off into an art form. Whereas proxy servers might block the average user from getting out to the web to visit entertainment or gaming websites, any IT professional worth their salt could circumvent such blocks within moment.
I'll be clear and state that a few moments of recreation on the job shouldn't be a problem so long as it doesn't involve too much time nor inappropriate material. Employees often need a bit of time to unwind and rediscover their focus, so long as their work duties are being fulfilled.
The problem here comes when IT professionals excuse themselves from the same restrictions applied to users. Fairness demands that such restrictions be implemented across the board.
SEE: Time management tips for tech professionals (free PDF) (TechRepublic)
To combat this issue, regularly review proxy server/router configurations and logs, set up alerts if changes are made (where applicable) and implement an internet access usage policy to dictate acceptable online access and specify consequences for failing to adhere to the company guidelines.
- These 3 departments are causing the biggest cybersecurity problems at your office (TechRepublic)
- The do's and don'ts of giving holiday gifts to your co-workers (TechRepublic)
- 10 tips for reducing insider security threats (TechRepublic)
- Your biggest threat is inside your organisation and probably didn't mean it (ZDNet)
- GitHub: Open source is dominated by men who just can't communicate (ZDNet)
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.