The Tricky Business of Network Use Policies

The IT manager at Vienna, Va.-based C2 Technologieswas frustrated. So many employees were downloading viruses that the company's networks had slowed to a crawl.

One of the likely sources of the viruses was the company's instant messaging system. It was impossible to determine who was IM-ing relatives in Thailand and who was IM-ing a client about a project. So the IT manager did what he figured was the next best thing: He brought the IM system down.

"Everyone screamed at him," said Dolly Oberoi, C2's CEO. "He had to bring it back on. But he's still looking at ways to control it. It's hard to find a clean way."

In an environment where it's common for employees to surf the Web and download software apps at will, viruses and high network traffic are frequent occurrences, and security breaches are a risk.

The network usage adds up. Employees may be e-mailing and IM-ing clients and friends multiple times a day, checking out their friends' latest YouTubevideos, watching work-related video tutorials or demos, shopping online, and using any number of Web apps to do their work. That's when networks can start to creak.

For Whom The Network Tolls
Managing what employees do on a company's network turns IT managers into tightrope walkers, perched precariously on a fine line hovering over issues of security, loss of productivity, and network overload on one side, and employee trust, morale, and retention on the other.

Some companies take the approach of Edinburg, Texas-based First National Bank. Its senior VP, Brent Rickles, said the bank's policy is to be as restrictive as possible when it comes to network usage. This means that none of its 40 employees can install software on their own, all e-mail servers -- besides the company's -- are blocked, YouTube and similar types of sites can't be accessed, and there's no IM-ing allowed.

"I don't want my customers to read that one of my employees used their Hotmail account to send out someone's bank balances," said Rickles, who added that while security is the main reason for the restrictive nature of the company's policies, productivity is a side benefit.

"I've been other places, and I've seen people doing a lot of personal stuff and wasting time," he said.

Setting A Network Policy Is Tough
C2's Oberoi would tend to agree that instant messaging is incredibly distracting. "It's similar to a phone ringing nonstop. E-mail is also distracting, but instant messaging is worse," she said. "But it's an excellent communication tool."

She should know. Part of the reason why her IT manager had to bring the IM capability right back up was because it was the only way to communicate with one of C2's larger clients. "He preferred [IM] to phone and e-mail, and we were in a fast development cycle with them," Oberoi said.

Oberoi said she can see the impact instant messaging has on the quality of work of some of her employees -- especially those who have relatives overseas -- but she has not yet formulated a policy on the tool. "Do you allow it for personal use? How do you control it? We strategized with ways to limit IM for personal use but we couldn't [do it]."

Coming up with a policy is complicated, but enforcing it is perhaps even more so. Technically, the more restrictive an approach, the easier it is to implement. Rickles uses an Internet filtering device, St. Bernard iPrism, through which all Internet traffic in the company flows. The bank also uses Sanctuaryto prevent any unwanted software from being installed. "Even if someone manages to download something, it won't work," said Rickles.

The 200 employees at Royal Food Servicehave a similarly restrictive policy at their place of work. The Atlanta, Ga.-based food service distributor that serves the Southeast has a policy that confines Internet usage to business use only. Company CIO Jerry Maze said the company owners see the Internet as a huge time waster. "I see it as a huge security risk," he said. In particular, he considers instant messaging "one of the biggest time wasters on the planet."

Enforcement at Royal Food consists of ScanSafe, Web-based software that evaluates all Internet access requests and grants access based on Maze's dictates.

It's More Complicated Than It Looks
But for many companies, network usage is more complicated. Just ask Pradeep Tripathi, CEO of SysTech International. The 100-employee, Murray, Utah-based company develops IT systems for the vehicle inspection market. Because it works with government agencies, security is critical to the company's success.

SysTech had implemented eTrust from Computer Associates,which controlled access to Internet sites, but Tripathi said that in addition to his employees being resentful over the controls, the system wasn't practical in implementation.

"If someone is doing research, you can't predict where they will go," said Tripathi. "We were making lists of prohibited sites and allowed sites, but it was very hard to know. It was an ominous task."

For instance, Tripathi said SysTech tried to block off sites with e-mail, but then they had a client with a Yahooaccount and they had to open it up. "We don't have control over users," he said.

SysTech now relies on filters from its ISPand Norton Security,and Tripathi has a more sanguine approach.

"You need to have a compromise between technology and the people involved," he said. "You can't just carry the load by technology but by the people in the environment."

The company also limits employee access to databases and uses a corporate edition of instant messaging that has virus protection. "It's not bulletproof, but we have better success at our audits," said Tripathi. "You want to have respect for people's privacy, but you need to have confidence in employees."

It's a management issue as much as a technological one, said Tripathi. "Managers need to manage people," he noted. "They can see what they're producing. You don't want to be monitoring someone's IM to his wife. Some of that crosses someone's personal space. Unless it's clear abuse, we just don't go fishing."

Tom Austin would agree. He's a distinguished analyst at Gartner, and he sees network usage issues as a management problem, not a tech problem. "If I'm not producing, I should be fired," he said.

According to Austin, it's "alarmist headlines" that get many companies worried about what their employees are doing on the Internet and that frequently lead to draconian policies that aren't necessary or helpful.

"We see the Internet as a source of bountiful supply," he said. "There's a business value to the Internet," he added, noting that YouTube can be used to watch product demos or instructional videos.

Austin acknowledges that there are a small number of sites that should be banned in the workplace as a matter of social responsibility -- like hate sites or porn sites -- but even in those cases, there's no formula. "I was talking to one client who has social scientists [on his staff], and they need [those kinds of sites] to do research. So there are no absolutes."

Gartner research VP David Mario Smith acknowledges that there's potential for security breaches, especially from instant messaging, social networking, text malware, and viruses. "There's concern for enterprises," he said. "When co-workers 'poke' each other [on Facebook], that [could be] an HR issue."

But Smith also believes that "archaic blocks" aren't the answer. "People use MySpacefor business purposes," he noted. "Look at the value proposition."

Smith suggests communicating policies, establishing some form of enforcement, and empowering and trusting employees to take it from there. It's all about empowering users and employees. "You need to trust people to do their jobs. You don't want to stifle productivity or creativity. [The Internet] should be for the purpose of enhancing business," he said.

Liberal Approach
Oberoi said that she has been liberal in the company's Internet and software use, mainly out of concern that any other approach will breed employee resentment.

"We're a small company," she said. "We have retention issues. If we make it miserable, why should they stay with us?"

But Gartner's Austin wants to see companies move beyond just empowering employees; he wants to see employees take responsibility for their network usage.

"[Companies] should provide guidelines and then shift responsibility to the users. Hold them accountable," he said. "We just assume IT should be responsible for everything related to IT, but that's wrong. If someone clicks on malware, they should be held accountable. It's a new era, and IT realizes they can't control everything."

The problem, as Austin sees it, is that many companies have policies on network usage, but no one has really figured out how to enforce those policies. "IT managers haven't figured out how to deal with a nuanced world," he said.

The answer isn't to lock everything down. Instead, Austin advocates more safeguards and protection. "Don't inspect files that are uploaded, but don't assume people's machines are clean," he said.

Both Austin and Smith believe that the business end of the company needs to drive policy creation. "Technologists tend to control too much because they can build inflexible systems," said Austin. "Then business says IT is slowing us down. There's no such thing as zero risk. It's the business executives that need to figure out the tolerable level of risk. They need to think about agility and flexibility. They need to be part of the IT discussions. But with zero risk, no one would get anything done."

Naomi Grossmanis assistant editor of bMighty.com.