End users' careless habits can circumvent governance and IT best practices. Here are six strategies for managing the risk.
IT has a reputation for not always being sympathetic to users' needs, but managers and CIOs can also find themselves managing users' risky tech habits. So how can these situations be addressed constructively, without alienating management in other departments?
Here are six common scenarios and some best practices for handling them.
Sharing passwords and devices
Sharing passwords and devices is one of the most common security breach points for employees. The best way for IT to handle this scenario is to assume the role of auditor, keeping logs of security breaches and then sending them to either a chief audit officer, a chief security officer, or a focal manager in HR who deals with security. The reasons for this are simple: IT is the detection point for a security breach, not the enforcer or the message carrier. Enforcement and reprimands should come from high up in the organization, and from a person specifically mandated to ensure the integrity of corporate and employee security.
Workarounds for applications
Like IT, end users have heavy work demands they must fulfill. In these circumstances, there might be applications that don't work as they should. So in the interest of getting work done, the end users develop manual workarounds to keep work moving. It's hard for IT to know when someone is using workarounds, but it's important to find out so that the apps can either be revised or de-implemented. The best way to track app usage is to monitor it centrally as part of your data center practice. If you see usage fall off significantly, then it might be time to arrange a meeting with end users to see why the app is being underutilized, and to determine next steps.
Leaving IT out of vendor transactions
IT decision making has shifted from purely being an IT exercise to end user departments getting their own "mini IT" budgets and then contacting vendors directly. In many cases, especially when a cloud subscription service is involved, IT doesn't even know about the transaction. This hurts later, when IT is asked to troubleshoot, to take over app maintenance, or to integrate the app with other company applications. The best way to avoid this is to meet with end users on a quarterly basis to discuss IT plans and budgets. If you know users are planning to add an application independently, this gives you an opportunity to vet the app in advance for compliance and for compatibility with other corporate IT. You can also assist users with negotiating effective contracts and service level agreements with the vendors. Most end users are more than happy to let IT assume these responsibilities. They just don't want the feeling that IT is micromanaging their every application move.
Outdated data retention and employee authorization practices
Once each year, IT should meet with end user departments to review data retention policies and employee system authorization levels. The meeting is important because business needs change, and change can impact how long data must be retained before it is discarded, and which employees should have which levels of data access. Unfortunately, data retention and security authorization meetings are perceived by IT and end users alike as extra "administrivia" that can easily be put aside. The best thing to do in this situation is to obtain upper management endorsement for mandatory annual reviews of data retention and security authorizations. The directive should not come from IT, as reviews of this nature are really part of corporate-wide governance.
When IT departments perform software asset audits, they inevitably discover software packages that are sitting on the shelf -- and possibly have been for years, with the company continuing to pay licensing fees for the unused software. The risk is especially high in end user departments that purchase their own software. The best way to avoid paying for what you aren't using is to perform an annual audit of all software across the company. The exercise is fairly straightforward if IT develops an online form that an assigned end user for each department simply completes and turns in each year.
Especially in corporate field offices, remote servers, printers and other equipment can be overladen with dust, or they can fail because of extreme heat, cold or other factors that are adverse to equipment health. The best thing for IT to do in these circumstances is to monitor equipment uptime, performance and maintenance. If there are excessive failure rates, or if equipment is nearing the end of its life cycle, IT should take measures to replace the equipment, or to work with facilities and end users to correct environmental deficiencies.
While there is no magic sauce that can cure every issue that arises from end users' bad habits, continuous and open communications between IT and end users can go a long way to ensure the wellbeing of employees, managers--and the tech they work with every day.
4 security best practices to learn from the FDIC's data breaches
10 ways to repurpose your IT investments
Report: IT's top challenges and priorities for 2016
Why antivirus programs have become the problem, not the solution