A number of years ago I took a position managing a group of technicians who supported hundreds of Microsoft events each year. While most of their time was spent on the road, during slow times of the season our team was situated in cubicles across the sprawling Microsoft campus. This gave the technicians time to study, submit expense reports, and relax until the next event.
Because we were located on the Microsoft campus, we had access to their corporate network. At the time, IT policy dictated that the internet remained basically open to explore. As far as I remember, the only two sites that were blocked were Megaupload and The Pirate Bay. That was a long time ago and Microsoft IT has probably updated their policies. But sites like Facebook, Netflix, Hulu and the like were open to anyone on the network. I don’t recall a blocked site ever getting in the way of work.
Since that time I’ve worked for a number of mostly smaller companies. Their internet policies ran the gamut of having everything open to locking down sites like CNN and NBCNews. One company locked down nearly every image hosting site including those which sold stock photography, which we often used for design projects. When I approached the IT manager, he told me his philosophy was to blacklist everything he could and then open up sites as requested. And getting a site approved to could take weeks because we had to make a case the site was required to do our jobs. It was such a hassle that most employees just took the work home to do over their own network.
I believe we’ve learned a lot over the past decade in how employees use the web. Most owners understand that employees will use the web in a number of ways, some of which may not pertain to work. But that’s OK, because it’s often less disruptive than a traditional coffee or smoke break. For example, I used to take longer lunch breaks running errands around town. Today I’m more likely to take a few minutes out of my work to purchase many of those same items at Amazon without having to leave my desk.
This week, I want to take a look at a few best practices when it comes to corporate internet usage and how IT can encourage safe browsing behavior among employees.
A few years ago I sat across a table from my manager. It was performance review time, but before we began discussing my goals for the year, he slid a small stack of papers across the table for me to review. As I thumbed through them I was stunned. I was looking at a report of my internet usage for the past years that included every website I’d visited along with the duration I spent there. My boss pointed to ESPN, which was at the top of the list. We had a good laugh together, but it didn’t feel quite right because I had no idea the company was monitoring my internet usage to this degree.
I’m sure that most people will agree with me on this, but it’s worth repeating: It’s always best to be transparent with employees.
You shouldn’t hand over a company asset like a computer and allow a new employee to assume their communications are not being monitored. If you feel that defeats the purpose of catching employees in the act of breaking policy, then you have not hired the right person.
Based on my experience, most employees today understand that company email belongs to the company and will be monitored. The same goes for phone calls and other forms of digital communication. I’ve always assumed my company email is being monitored. But what about my Skype conversations? What about my text messages on a company issued iPhone? It’s always best to be up front with employees on exactly what is being monitored.
As an IT professional, you are in a position to help carve out policies that make sense for everyone. That might mean you spend time explaining a specific technology to a manager to show how it’s being used to increase productivity. A friend recently told me that his company has banned all instant messaging programs even though they were useful when collaborating on projects with remote employees. He was able to find a workaround by using web-based programs that ran over port 80, but clearly this policy wasn’t well conceived. Exceptions can and should be made, especially when productivity is at stake.
Creating a corporate internet usage policy is best done with input from multiple groups such as HR, legal and IT. If you rely on legal to write your policy, you may well end up with one that employees don’t understand. Involving several group can help ensure that the policy is clear, legally binding and technically feasible without turning your IT staff into full-time internet cops. I’ve come across some policies that were so full of legalese that there was no way anyone outside the legal department could make heads or tails of the policy.
If your company does not have an internet use policy in place, you would do well to begin the process. A Spiceworks contributor posted one of the better policies I’ve read. It could be used as a template for your company. It’s a bit longer than I would like, but it’s written in easy-to-understand language. Get the discussion rolling sooner rather than later.
Creating an internet policy is the first step. Hopefully, HR has every new employee sign the policy before assets are issued. But that’s only the first step because if the policy is not enforced, all you’ve done is create a toothless rule. Enforcement will often fall to the IT group which means you need to understand what data to collect and have the tools in place to collect that data. Tools can range from software to hardware to networking solutions that we’ll cover another time.
Problems often start small. One employee might spend a few hours watching Netflix while another downloads a song or two off BitTorrent. These might be small infractions that don’t catch the eye of HR. But what happens when you have an employee download gigs worth of movies one afternoon that brings the network to its knees? Or someone installs cracked software that puts your company in legal hot water?
If you haven’t enforced the policy when employees committed small infractions, you can quickly run into serious legal issues when you attempt to enforce larger issues that might result in employee probation or termination. You probably didn’t go into IT because you were looking forward to monitoring how employees used the internet, but that’s part of the job today. The actions of a single employee can bring down a network or put the company in legal jeopardy. You’re often the person who can best mitigate and put an end to the behavior before it escalates into something more serious for the employee and the company.
It wasn’t long ago that both Facebook and LinkedIn were sites that IT often blacklisted. While doing my research for this article I came across study after study that put Facebook at the list top sites employers considered a distraction. LinkedIn was put into a similar bucket to a lesser extent. But today, both sites are used to reach customers and potential clients by big and small companies alike.
The last three years I’ve managed the social media accounts at Puget Systems. During the day, I have Facebook, Twitter and Google+ open so that I can reply to questions about our products and services. Some questions I pass on to support or sales. But that instant feedback from customers allows us to connect in ways we wouldn’t have thought possible a few years back. One of my friends in corporate sales told me that LinkedIn is the “digital golf course” for many of his colleagues as they interact and discuss potential deals online.
When one employee makes a bad decision and uses the internet for nefarious reasons, it’s natural to overreact and lock everything down so it doesn’t happen again. The problem with this strategy is that it can thwart real work and create barriers to information that should be quick and easy to access. If you notice that a few employees are spending a lot of time playing games on Facebook, consider speaking to them instead of blacklisting the site for everyone. At the very least, provide a way for employees to request access to sites they need in order to do their job.
In my experience, the best internet usage policies are simple to understand, consistently enforced and flexible to the needs of the company and the employees. I believe that employees want to maintain the standards of the company and work within the rules, as long as they clearly understand what those rules are. Vague or complex rules are as unhelpful as having none at all.
Looking at the various companies I’ve worked at, those with the most open and flexible usage policies were also those that treated employees with the most respect. Every time a manager or IT creates a new policy, it sends the message to employees that they are trusted a little less than before.
Be open, be clear, and trust your employees. Make sure they understand that you want them to use all the tools at their disposal, but that freedom requires mutual trust and responsibility.