By Michelle Hutchinson

Policies of any kind are difficult to implement, but IT polices seem to be even more troublesome. Most employees have no idea what the IT department does or why. They don’t understand that when you take their screen saver away, you have a very good reason for doing so (to avoid having to troubleshoot their PC later). Accordingly, new IT policies are rarely met with enthusiasm—they usually eliminate something employees enjoy using.

This is why end-user firewall policy training is critical. Users must understand why your organization has a firewall and how important following the policy is. Here are four techniques you can use to train your end users on a new or existing firewall policy.

1. Have a written policy and user agreement
When my IT department established its firewall policy, we worked with the human resources department to draw up a contract for all employees to sign. It basically told employees they were being given Internet access, but they had to use it appropriately.
Click here to download our updated list of e-mail and Internet use policies.
Before anyone got an account on our firewall, they had to sign this document. Having a written contract serves a dual purpose. It is an introduction to the policy and helps protect the organization if employees abuse their Internet access.

2. Personalize the need for security
Unfortunately, just signing the agreement isn’t enough. Employees must understand the importance of surfing the Net with their life jackets on. To help get that message across, I give employees specific examples of how inappropriate use of the Internet can hurt their job performance. For example, a breach in security could corrupt or destroy a spreadsheet that took all day to create. By bringing it to a level that personally affects them and their hard work, employees are more likely to follow security procedures.

The occasional virus that does infect our network is also a good wake-up call. We were recently hit by a virus that destroyed several .bmps and .gifs. Although it was not a serious problem, we used the incident to stress the importance of security policies. Obviously, being hit once a month with a virus isn’t a very productive way to remind your users about security, but you should take advantage of the opportunity if it presents itself.

3. Periodically reinforce safety procedures
The company’s newsletter is also a good place to issue reminders about the importance of Internet and e-mail safety. These reminders could be placed in a small box that contains a safety tip users can utilize at work as well as at home. Most employees take the time to read the company newsletter, and a written security tip might be just the thing to remind them about the importance of the security policy.

I occasionally send out a “tips and tricks” e-mail to my users that includes software tips and shortcuts. Adding safety warnings and advice in these e-mails is another way to get the security message to the masses. Messages such as “Don’t share your password with anyone” or “Don’t leave your Internet connection open when you leave your computer” remind users of important but easily forgotten safety precautions.

4. Stress management support
Of course, no firewall policy is effective without management support. It is management’s responsibility to ensure that their staff is working and not spending their days surfing online auctions (unless that is their job).

It’s important to get management support right from the beginning of your firewall project. Let them know what you expect from them, and what information you will be providing to help them enforce the firewall policy. Producing monthly or bimonthly firewall logs for department managers is a great way to help them monitor their employees’ Internet usage. Remind them that there’s only so much the IT department can do without their backing.
Does your IT organization have a great way to teach end users about the importance of having and following a firewall policy? How does your organization deal with those who violate the firewall policy? What do you think of Michelle’s suggestions? Post a comment or write to Michelle Hutchinson and let us know what you think.