Companies that believe they have communicated their policies sufficiently might need to think again. According to a survey done by security vendor Senforce last March, 73% of the 308 respondents said they store corporate data on removable media, and 46% said they did not have -- or were unaware of -- corporate security policies that protect that information.
Although presenting a flexible work environment would be particularly important for companies whose employees are their assets -- advertising and design firms, for example -- the need to maintain a happy workforce is important in any industry. "It needs to be presented as a win-win situation," the risk manager says. "Explain to the employees that following the guidelines will help to ensure the continued flexibility of the work environment. If you make things too restrictive, younger employees may just pack up and go elsewhere."
Five ways to deal with Gen Y technology in the workplace
When it comes to employees' use of personal technology at work, IT departments often have the unsavory job of enforcer. If a company's acceptable use policies are aligned with the corporate culture, however, that job becomes a lot easier.
For example, let's say a new hire in marketing calls the help desk because he can't access the Facebook Web site. If the corporate culture dictates that nonbusiness Web sites shouldn't be accessed at work -- or only during lunch and after hours --the help-desk staff person can explain that the site is blacklisted and refer the employee to the related policy outlined in the company's handbook. If there's no such written policy, the help-desk staff person is left to do the explaining himself.
"The fundamental part of all of this is setting expectations," says Daniel Gingras, a partner at Tatum Partners, a consulting and executive staffing firm.
Gingras recommends that IT executives take the following steps:
- Understand the culture of the organization. While it's not typically found in an IT professional's job description, understanding the corporate culture is essential to setting and implementing acceptable use policies related to technology, says Gingras. For help, look to HR, upper management, and the compliance and legal departments.
- Craft (or update) a policy that fits with the culture. If the corporate culture disallows iPods in the workplace, the policy must state that clearly. On the other hand, if the organization allows iPods in the workplace but doesn't let employees download music or videos to iTunes, that must be specified, too.
- Communicate the policy repeatedly. A written policy that sits on a bookshelf in the HR director's office won't serve the needs of the company. IT can play a role in communicating policy by asking new hires to sign a document that says they have read the portions of the handbook related to technology, and by setting up logon screens that contain pertinent policy information.
- Create a level of expectation that workers will conform to the policy, and make sure you have the technology in place to enforce the rules. "You have to build in the audit trails so that you trust, but verify," Gingras says. "Everybody [should know] you trust them, until they give you reason not to." There are many data-leak prevention, content-monitoring, and compliance products on the market that create audit trails of employees' actions related to sensitive data.
- Constantly weigh the advantages of a flexible work environment against network security. If policies are being abused -- for example, an employee continues to use his personal Web mail account for business communication, therefore potentially putting sensitive information at risk and circumventing audit trails -- consider blocking the use of personal mail accounts at work.