Offer your clients guidance in defining and implementing a "no personal business" policy for corporate PCs.
The one thing that seems to never change, yet continues to surprise me, is the wishy-washy management attitude toward using company PCs for personal business. Shockingly, some companies still give almost unchecked Internet access to their PCs in light of a few simple facts:
- It only takes one visit to one Web site to pull down an entire system. It sounds extreme, but it does happen.
- With today's technology, you can practice safe Interneting. It isn't hard or even terribly expensive, but it does require consistent management.
- With today's technology, you can easily find and eradicate (... and don't let the door hit you in the ...) employees who think the rules don't apply to them.
Your main concern is maintaining a healthy computer system, but this problem affects more than IT. According to Douglas Schweitzer, in an article in for SAP News, the "International Data Corp. estimated that 30% to 40% of employee Internet use isn't work related. And according to Nielsen/NetRatings, 92% of online stock trading occurs from the workplace during work hours and 46% of online holiday shopping takes place at work."
Perhaps more disturbing is the use of business PCs to visit pornography sites. According to SexTracker, 70% of traffic to pornographic Web sites occurs between 9:00 A.M. and 5:00 P.M. Not only are employees putting the system that you maintain at risk, they're using employee time to conduct personal and often unsavory business!
As a competent consultant, you must help your clients create a policy that states and enforces the following mandate: No one can use company PCs for personal use -- no one, nothing, not even a quick look at the online news every morning -- nothing! Is that too strict? Possibly, and in the end, you must let your client have a little reign on this one, but in return, the client must help you protect their system with an established policy and no-nonsense repercussions for employees who refuse to adhere to that policy. Your job is to help your client define, adopt, and enforce this policy.
Step 1: Define the policy
Creating an Internet-use policy is a collaborative effort. As always, you advise, but your client decides. There are three possibilities: No access, limited access, and complete access. Help your client determine the monetary commitment and repercussions of each level. This is a good time to analyze the costs of an open-Internet policy. After all, if nothing bad or terribly expensive has (yet) happened, it might be difficult to convince your client that a more aggressive and expensive approach is necessary.
Step 2: Adopt the policy companywide
Inform everyone of the new policy and then supply them with a copy and be accessible for questions. Then, purchase and install the tools to enforce the policy because you know some folks are going to ignore it. Block access to all but authorized sites and install tracking software. In addition, if you haven't done so already, block unauthorized downloads. If that all sounds a bit too much like Big Brother, you might be in the wrong business -- seriously. (I'd like to see a discussion on the policies and tools you use to inhibit and track Internet access and downloads.)
Step 3: Enforce the policy
Enforcing the policy is really out of your hands. You advised your client in step 1, but it's up to your client to act. However, you might help distinguish between an intentional breech and an accident (and that does happen -- I can't even describe what I managed to pull up the other day while searching for a specific author during a work-related task). Accidents aren't the only thing you'll have to consider -- knowledgeable employees can participate in subterfuge.
Let me share a personal experience in this area. A certain Fortune 500 client has a sophisticated surveillance room where employees keep an eye on critical areas of the building. During an internal audit, pornography files were found on one of the local systems in the surveillance room. There was some discussion of firing everyone in surveillance -- three shifts worth of employees! I opposed that decision because the local drives in the surveillance room were part of a larger network. This meant that any employee with the right knowledge could've downloaded those files from another location in the building. Proper tracking software wasn't in place so there was no definitive way to know who initiated the download. In the end, they put a letter in each guard's personnel file, which I also officially opposed. There was no evidence that a guard downloaded those files. Without evidence, it was nothing more than a lesson to their internal IT management that they weren't getting the job done.
Be prepared to acquire a curmudgeon reputation among your client's employees once you take a stand on the issue, but being popular isn't your goal. In my opinion, the best policy is a closed one -- business PCs are for business use, period.
TechRepublic resources about Internet usage policies
- Craft your own Internet usage policy with this sample
- Clear usage policies protect everyone
- TechRepublic Pro's Internet Usage Policy