Policy Enforcement

Getting Your Employees To Comply With IT Rules

When computers consisted of black screens with white text, users considered them “tools,” something to be used to accomplish a particular task related to their job. Computers were often only available at work; few people had them at home. They were impersonal pieces of equipment, had limited capabilities, and it was difficult for employees to get themselves or their employers in trouble by using a computer.

But with the development of the graphical user interface, broadband connectivity to the Internet, large storage capacities and the low cost of ownership, nearly everyone has at least one computer at home, and the skill sets necessary to cause problems for their employers. In an effort to protect their interests, businesses have taken steps to try to minimize the impact of improper computer usage by establishing computer-related rules, guidelines and policies that employees are expected to follow. While many excellent policies have been created, trying to get users to comply with them is challenging at best. What are the issues surrounding the lack of adherence to these policies?

Grouping Users

When analyzing the problem it is easy to see that there are two groups of users that fail to follow policies. The first group consists of the “uneducated users.” These are computer users that have no understanding of the how their systems work or the consequences of their actions. These types of users have been lulled into complacency because their computers no longer feel like tools, but have been personally customized so that they feel like “toys.” Desktop wallpaper consists of personal pictures of family members, pets and vacation photos. Screensavers have been installed that represent their favorite hobbies. They can now play games like Solitaire and Freecell, download and play their favorite music, collect and distribute their personal photos and research topics of personal interest on the Internet. The icon that has appeared on the desktops of personal computers for years, “My Computer,” has helped foster the idea that people can do what they want with a computer. In addition, the personalization of computers has caused users to forget the true power of the systems they are using.

Twenty users ago, systems with the computing power of our desktop computers would have filled a large room. These types of users do not understand the impact of their actions when they do not comply with computer use policies. They feel that keeping systems secure and “up and running” is someone else's responsibility.

The other type of user that does not comply with policies is the “arrogant user.” This group of users feels that they are too important to comply with policies. Policies are for everyone else, they feel they are more powerful, intelligent and sophisticated than everyone else, so they can do what they want on corporate systems.

Both of these groups will open attachments to emails from unknown senders, they will succumb to phishing scams, they will download and install unauthorized software on systems, they will visit non-work related sites while in the office, they will play illegal copies of songs on corporate systems and they will attempt to bypass every rule, policy and security mechanism put in place. This behavior can be stopped with proper mechanisms and policies. It is important to remember that even the user with the best intentions will violate computer-related policies if given an opportunity.

Enforcing the Policy

This content continues onto the next page...