Kachina Dunn spoke with David Smith, COO for Burstek, which develops and deploys employee Internet management (EIM) tools.
Dunn: Internet access management requires the right combination of technology and policies. What policies should be in place, and how should IT go about determining whether their policies in this area are adequate?
Smith: Policies are necessary to protect an organization, but they need to be based on the unique needs of the business and should be flexible and relevant. IT divisions and other groups within these organizations need to work with all relevant business stakeholders - key representatives from your legal, human resources and IT departments, at minimum - to define acceptable use policies that ensure the appropriate use of business resources and ensure adherence to all appropriate guidelines such as HIPAA, GLBA and Sarbanes-Oxley.
If your business has an Internet access policy committee in place, the committee should perform a thorough review of existing Internet activity within the organization before developing concrete policies. If no such committee is in place, I encourage companies to install a trial version of a sophisticated but easy-to-use Internet activity reporting software to their systems in order to identify and evaluate problem areas. Three key areas of personal Internet access/usage to look at are legal liability categories, security risk categories and general productivity loss categories.
After tackling the definition of policies for the most malignant misuses (porn, hacking, gambling, hate speech, etc.), management should refocus on areas that the average employee will abuse more readily and that therefore represent just as big a risk in the form of lost productivity. Shopping, entertainment, personal e-mail, can all be grouped as general productivity loss categories. Because employee morale may be impacted as seemingly harmless Internet behavior is scrutinized, developing policies for these areas is often challenging; hence, the need for a multidisciplinary policy committee.
In all cases, Internet access management technology should complement any policy and provide IT with the capability to enforce the policies in a timely and effective manner that does not impede the natural flow of conducting daily business.
Dunn: The policies may be in place, but can you provide some guidance on backing them up with strong training programs?
Smith: Strong training programs do well to initially educate employees on appropriate Internet conduct; unfortunately, bad behavior is a hard habit for many cyber-slackers to break. A combination of a strong acceptable use policy, relevant training, an ongoing dialogue with employees regarding the impact of productivity losses on their jobs and a successful Internet management tool is the best overall solution to ensure long-term success.
Dunn: Where does IT most often make mistakes or overlook portions of an Internet access policy and management strategy?
Smith: Mistakes in the creation of an Internet access policy and management strategy are made when policies are created without taking into consideration the needs of the business users who leverage the Internet to make their jobs more effective. Too often, policies are created to address every possible scenario. In the end, these policies only handcuff the employees who need access to specific Web sites to perform their job in an effective and efficient manner. Developing and implementing a policy on paper without input from business line managers on how their employees use the Internet only breeds disgruntlement and causes bottlenecks to driving the daily business.
Further, when selecting Internet access management technology, an organization should consider the strength of its flexibility and customization features Many organizations set the software and forget it, failing to utilize the product features to reflect the individual and changing dynamics of their firm and their Internet user base. A more effective approach is to keep at it, periodically reassessing and making refinements as needed.