Sponsored By

Opinion: Draconian Security Policies Create Their Own Problems

While security is important, clamping down too hard can lead to an employee exodus.

Barbara Krasnoff

September 6, 2005

4 Min Read

Companies walk a difficult line when they try to determine how to handle their employees' computer use. The proliferation of malware—and the very high likelihood that an unwary staff member will download spyware, or surf to a worm-laden site—means that IT departments and small business owners have to be careful about what's happening on their networks.

The fallout from an invasion can, at the least, cost the IT staff several hours of cleanup; at the worst, it could mean lost data, lawsuits, and other nasty consequences. As a result, businesses have been forced to invest in keeping their systems secure and their staff out of danger, using security software, restricted access, and a variety of other methods.

Now, I know, and you know, that this issue has been covered extensively on TechWeb, and on hundreds of other sites, blogs, and newsletters. So why even bring it up? Because while I see a lot of coverage of how to keep organizations safe, I don't see a lot of coverage of the fallout in lost time, lost tempers, and lowered morale when security restrictions are issued without enough consideration for the needs—and feelings—of employees.

For example, blocking all instant messaging could be a very good idea when employees are spending too much time chatting about the latest football scores—but what happens if they need to chat with off-site workers? Preventing all downloads will keep out unneeded and malevolent software—until somebody finds that a necessary file is inaccessible. And file blockers will keep out the porn and gambling sites, but could keep relevant sites out as well.

All of these problems have solutions. For example, back in May, Secure Enterprise Magazine offered advice on handling the public IM systems, including implementing a private enterprise IM solution. It could even be something as simple as providing employees with an accessible contact should they find an exception to a no-download policy, or in case a site they need to access is blocked.

But most importantly, employees should feel that the security policies are in place in order to safeguard the company's networks and data—not as an expression of distrust. The Internet is no longer simply a place to work and play—it is a medium that has become as important to personal day-to-day communications as the telephone or the newspaper. It may be a temptation to keep problems at bay by limiting your staff to the absolute minimal—no IMs, no personal e-mail, no access to any Web sites except those necessary for business—but consider how that will make your employees feel.

A couple of years ago, while I was working for a small, ten-person firm, the owners decided it was time to do something about Web security. Other, wiser administrators would have informed their staff of the necessity for the restrictions, put Websense or similar Web-filtering software on their system, and placed reasonable restrictions on personal Internet use—for example, only during lunch. Instead, they sent around a notice saying that it was utterly verboten to use the Internet for anything that wasn't absolutely work-related at any time, and surreptitiously placed spyware on our computers to monitor compliance.

The result was highly predictable. Within a few weeks, most of the employees had dropped back into their old habits of checking their e-mail and doing a bit of surfing during lunch and breaks. And when I found something was leaving cookies labeled "spylog" on my system, I immediately deleted them from my system.

A few days after that, everybody got called into the principal's office and scolded for disobeying the rules. It was the beginning of a slow exodus during which several good employees left for greener pastures.

Except for me. I got fired.

Barbara Krasnoff is Reviews Editor for TechWeb/Pipelines. The TechWeb Spin TechWeb's editors are busy assigning and editing and linking and otherwise creating the content you see on TechWeb.com and the Pipeline sites, but we wanted the chance to tell you what we see and what we think about it directly. So, each week, The TechWeb Spin will bring you the informed insight and unique perspective of a different TechWeb editor: Fredric Paul, Scot Finnie, Tim Moran, Stuart Glascock, Alexander Wolfe, Val Potter, Barbara Krasnoff, and Cora Nucci. We hope you like it, and even if you don't we hope you take the time to tell us what you think about it.

Check out The TechWeb Spin Archive.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights