Using Work Tools for Personal Stuff?
Increasingly, most people have an expectation of seamless connectivity these days. The boundaries between work and personal life blur as employees sign onto Facebook at work and access company systems from home.
But those blurred lines can have security implications for your small or mid-sized business. Do you allow workers to load workplace applications onto personal iPhones? Do you permit the use of social networking sites at work? Is it okay for an employee to use a work-issued smartphone for personal matters?
The chances are your business hasn't adequately addressed these personal tech issues, says Mark D. Rasch, co-founder of Secure IT Experts, which advises businesses about security. "What I'm seeing people do about it is a lot of nothing," Rausch says.
Your first reaction might be to firmly establish distinctions between work and personal use. For instance, some companies ban the use of social networking sites at work and on work devices. But that's not likely to work, say Rasch and Andrew Storms, director of security operations for nCircle, an IT security vendor.
"Today, everyone is highly connected and many workers see very little difference between work and personal time," says Storms. "Companies need to understand this new paradigm and adjust their approach to security accordingly. Fighting to bring clear separation between work and personal space just eats up scarce IT resources and leaves IT as the bully that won't allow people to get their work done."
Your time is better spent crafting a common-sense approach that acknowledges the nature of communications today, along with your security needs. Rasch and Storms offer a checklist of steps you should take:
- Establish or re-evaluate usage policies.
Many businesses wrote Internet usage policies a decade or so ago and haven't revisited them, says Rasch. These businesses make the mistake of not recognizing the unique nature of social networking, with its casual, conversational tone, the sheer volume of communication involved and the lack of privacy, Rasch points out. "It's not the hardware, it's the people," Rasch says. "The social network is much more dangerous than the computer network."
- Evaluate how you expect employees to use — or not use — social networking.
After all, there can be a business benefit to your employees' presence on Facebook or Twitter. Spending time on Facebook at work is part of the job description for Chanelle Cotton, an account executive with a Brooklyn, N.Y., strategic marketing firm. Cotton uses her personal Facebook account to promote business. She often invites friends to join the fan page for the marketing firm, and the company uses Facebook to promote upcoming events. But while socializing on Facebook is considered business-friendly, Cotton's employer doesn't allow her to use her cell phone to text or talk to friends while she's at work. "Establish policies but be personable about them," says Storms. "Most companies already have enough legalese to cover them in terms of liability. If you take the stance that your employees want to do the right thing, it behooves you to take the time and speak plain language to them."
- Inventory employees and equipment.
Keep track of the level of access granted to each employee. After all, points out Rasch, a line worker operating a drill press in a manufacturing plant has no reason to access Twitter during a work shift. On the other hand, a sales rep drumming up business for your company can make a legitimate case for open access. In the same way, it's important to track applications or devices you won't allow and to inventory the level of access you permit on office and remote equipment.
- Understand the security implications of your policy.
For instance, says Storms, allowing employees to install proprietary information on their personal devices is a high-risk proposition, while permitting access to social networking sites at work is less risky. However, the nature of the information your employees post could affect business. Salespeople might unwittingly reveal information about calls through Tweeter. Hackers might use personal information gathered through Facebook to pose as an employee and gain access to a system.
- Educate users.
It's not enough simply to establish plain-language guidelines. If you want employee buy-in, explain why certain actions are limited and what the consequences could be. In some cases, businesses limit personal communications because of the lost time involved. You'll make a stronger case, though, if you clearly outline potential security implications. "Most employees don't intend to introduce security risks. They just don't think about security very often," says Storms.
- Involve IT.
It makes good sense to vet policies and practices through the people that keep your systems going. Involving IT in the conversation often helps provide best-case solutions. How can your employee make it to his kid's soccer game yet finish work at home on sensitive material? Having IT personnel engage employees in conversation breaks down barriers and fosters understanding on both sides.
- Give yourself wiggle room.
Create that clear usage policy, explain it, and publicize it. But give yourself leeway, say Rasch and Storms. "You want to write policies in a way that they have flexibility and allow you to evaluate individual circumstances," Rasch says.
Finally, understand that evaluating and updating your usage policy is going to be an ongoing process. "Every significant change in technology creates a whole new set of legal issues," Rasch advises.