E-mail and the Internet are the most important communications tools used in business today. Of course, along with increased use comes increased risk, especially when the employees in your organization are given no limits on how to use these tools. Installing firewalls and other security applications is one way to address system security.

A second way is to educate users on the danger inherent in e-mail attachments or other files by creating a policy that addresses it. This policy should explain clearly what kind of user behavior is acceptable and what is not. That’s easy enough, if your rules are clear-cut. The real hurdle, as any IT manager knows, is convincing a group of people to cooperate despite the fact that you’re likely taking away some of their rights and privileges. Here are some tips for getting over that hurdle.

Get it in writing
When Steve Ediger, Manager of Information and Communication Technology at the Woodstock School, wants to inform end users about what’s acceptable and what’s prohibited with his company’s network, he uses two documents. One is a general Acceptable Use policy; the other, dubbed the Network Usage Guidelines, is a more specific document that changes according to the current needs.

“After they’ve read and signed a contract stating that they have read and understood these documents and agree to keep themselves informed about changes to the Network Usage Guidelines, users are issued passwords and trained,” Ediger said. Training in this case means a quick overview of the e-mail system, confirmation that users can actually get into their network folders, and a focus on what the usage policy means in practice.

If users understand the reasons behind the decisions, they’re apt to accept them more readily.

Getting user buy-in
But what if you’re introducing a new policy to an existing group of users? According to Antoinette Taylor, Solution Center Supervisor and Certified Help Desk Manager for the City of Raleigh Information Services, the first step in ensuring user buy-in is to make sure the policy is clear, understandable, and free of vague terms.

“In Internet usage policies, for example, you don’t want to use terms like ‘morally objectionable’ when describing unacceptable types of downloads or browsing habits,” she said. That would leave the documentation open to interpretation, something you definitely don’t want. “You have to drill down as much as possible to define what you mean by terms like that. If you don’t want users to download MP3s or file-sharing software, then say that.” She also recommends avoiding dictatorial wording. Terms like “You WILL do this because…” can sabotage your efforts and make users less likely to adapt to the new rules.

The second step in ensuring user buy-in lies in how you roll out the policy. Toward this end, Taylor uses an old sales concept called FEBA. The acronym stands for

Facts—what the problem is

Evidence—how we can fix the problem

Benefits—how the company and the users can both benefit by following the fix

Agreement—a promise from end users that they’re going to live up to the agreement

When you’re stating the facts of the problem, Taylor suggests using real examples whenever possible. By making users see a cause-and-effect relationship, you’re increasing their understanding of the need for change. Tell them in solid terms about the money and time your organization loses after security breaches.

Also, it helps to include problems that users are expressing frustration about themselves. For example, if users are complaining about slow e-mail, point out that the slowdown is a direct result of misuse of e-mail (large attachments, downloads). Show them how a change in policy (the evidence) will positively affect workflow (a benefit). If they can see that you’re offering a solution to a problem they’re personally experiencing, they’ll be more willing to become part of the solution.

Enforcing policies
Some managers would say that seeking buy-in is a Pollyanna approach to policy adherence. We’re not suggesting you depend on policy alone. Companies like WebTrends make logging and filtering software and hardware to help screen out unwanted Internet traffic. Also, you can screen e-mail for spam and viruses and even block messages originating from your facility based on words or phrases. Taylor used network monitors at companies she previously worked for. She said she was able to catch employees who were using their PCs to swap MP3s when she saw excessive amounts of data packets coming from those PCs.

If an employee knowingly breaks a policy rule once, Taylor recommends a strong reprimand. If the behavior continues, you’re covered—you have a company-sanctioned Internet policy signed by that user that you can use as grounds for dismissal.

Of course, you’re going to have the occasional user who inadvertently downloads a virus or who opens an infected attachment despite your exhaustive efforts. To bring home the repercussions of these actions, Taylor suggest tying certain IT-related policies to individual performance evaluations, under areas such as appropriate use of company assets.