Out of Control User = Frenetic IT

By Christopher Burgess

When you access your email each day, do you do so at a distance of 15 paces because you’re just not sure what might jump out of that inbox? You can just about anticipate an email detailing how another user has caused a “blip” that will stretch your capabilities to protect both the user during their online engagements and the assets of the company? Or perhaps, there will be an email asking to set up a meeting of all-concerned to discuss how the employees in the sales department believe your information security policies are standing between them and their ability to do their job. Whose responsibility is it to keep the user engaged, informed, and compliant with company policy? Odds are, information technology leads will find their constituents asking how to accomplish something that wasn’t anticipated when the policies were created.

In a previous blog “When Your Employee Doesn’t Want to Come to the Office,” I shared my thoughts on the mobility aspects of the employee who wishes to work remotely. Today Cisco released part two of the Cisco Connected World Report and confirmed my hypothesis above: email inboxes are overflowing and IT departments are racing to catch up as the consumerization of the work place continues. Reading part two of the report, I was encouraged to see that more than 80 percent of IT department respondents noted they had an IT policy. What I found disheartening was the results from the end user, which detailed that ~24 percent of respondents didn’t know a policy existed, let alone where to find it. If that is the case, the escalation of policy collision isn’t going to occur.

Are your employees prohibited from accessing social networks? The survey showed that of those that blocked or restricted access on their jobs, more than 50 percent of their employees will find their way to the social networks in violation of the policy. The reality is employees follow the path of least resistance, and like water flowing down a rock covered hill, they will find a path. Similarly, some employers (approximately 36 percent) prohibit personal devices to be used by employees in the course of their official duties, while greater than 60 percent of employees can and do use personal devices in the performance of their official duties.

So even if the employee is racing into the technological abyss and using the latest and greatest software applications that have crossed their radar, the employee may be in a blissful state not realizing that their un-vetted application may be putting the entire enterprise at risk.

When this occurs, the situation becomes chaotic and frenetic. IT departments race to educate and discussions take on urgency, where only one side of the equation understands the “why.” At this point, they are racing to plug the new hole, as well as educate the individual employee who created it. If this is you, it begs the question: is there a regular security awareness and education regime that goes beyond the coasters, posters, and cafeteria table-top triangles? Are you really engaging the individual employee? The employee who the survey advises includes one in five who will break the IT policy simply because they know enforcement is not going to occur, or the likelihood of detection is close to nil, so the personal downside risk is perceived as not being an important or calculable issue.

Therefore, in addition to having a security and awareness program, one needs to ensure the education side of the equation includes all employees and clearly states the “why.” No longer is it possible to rely on the age ol’ adage of our parents, “You’ll do it that way, because I told you so!” Now, the IT department must be prepared to explain why the seemingly unencumbered, externally available, social network environment wasn’t designed to house the company’s human resource files. The IT department must also be prepared to understand how the external environment was perceived as enhancing the calibration and throughput, as clearly there is a void within the company that employees gravitated toward so that they might perform their primary tasks more effectively. It’s never enough to say that it is out of bounds, without investing the time to listen to how your employees found themselves out of bounds.

As I noted above, if the policy stands between the employee doing their job successfully or being unsuccessful, who really believes the employee will opt to adhere to the policy and fail in their job performance? It is unfortunate, but rare is the employee who raises a hand and says to both their management and the IT department, “You know, this policy on social media is sitting between me and being successful in doing my job.” How can you jumpstart that conversation so that those hands being raised aren’t a rarity? In the survey, more than 70 percent of the employees noted that they believed their relationship was good with their IT department. However, only 22 percent believed their employees actually understood their role in protecting the strategic assets of the company.

May I suggest that when crafting information security policies, include those most affected by the policy in discussions about the wordsmithing, implementation, and most importantly, compliance and enforcement. When collaborative creation occurs, policies will no longer be viewed as an iron ball and chain to be dragged about by the employee in the name of keeping the company safe and secure. Rather, the policy is owned by the employee and their business unit as a tool that enables and carries the business toward success.

For Additional Reading:
Social Elements of Security Policy and Messaging
Security – Who is Responsible?
Common Sense Approach to Social Media
Social Media – Security Risks? It Depends Where You Happen to be Sitting