HR & IT: Best friends forever?
As employees in companies of all sizes continue to discover new and creative ways to use the web, organisations today are struggling to maintain control of the corporate network while empowering workers, partners, and other stakeholders with access to critical functionality. A staggering number of new social networking applications have emerged and the number grows daily.
While it’s undeniable that social media has brought a new era of opportunity and cooperation for organisations, it has also at the same time brought its fair share of challenges. Many HR departments have yet to fully appreciate the security and compliance issues related to unfettered employee social access. Although security software may help with some aspects of controlling employee access, it is not a panacea.
Indeed, while IT managers were once apt to deny access to applications whose origins were found in the consumer world, such an approach is increasingly problematic. After all, applications such as Facebook have proven immensely valuable for many in the business world, particularly among HR, sales and marketing groups. These social networking sites are now literally the most popular sites on the internet and hence a hacker’s paradise. The increasing number of cyber attacks on these sites – Facebook, Google and most recently LinkedIn – are a testament to this fact.
How can policies and rules be developed to support application control software and protect the information bank of an organisation?
Although most effective policies are developed with input from all departments across an organisation, HR departments must take charge of implementation and education in order to get maximum buy-in from the staff. These policies in turn help to guard the organisation against unexpected and unwanted outcomes, and unethical or even illegal behaviours. As circumstances change, policies must evolve in step with these changes and HR’s input becomes critical in shaping these policies in line with the values and needs of the staff.
Avoiding HR’s coup on the social world
While technology is ultimately a platform to secure an organisation’s network, HR managers are the vehicle to drive this control smoothly through the organisation in a way that will ensure sustainable compliance.
HR is about understanding people’s needs, values and capabilities. Throw social media into this incendiary mix and you have a volatile concoction of emotion, outside interaction, personal bias and situational uncertainties to form a ticking time bomb. So what are the available options for HR departments to diffuse the situation without imposing military style controls that only increase employee resistance and drive operations underground?
One of the key things to remember is that people like to be involved and they don’t like surprises. Any change in status quo will result in resistance. Policies must therefore be developed with input from the employees through working groups, feedback loops and surveys in order to be effective. Some of the outliers have implemented information sharing and visibility as a best practice in their organisations with great results. HR departments must leverage its expertise in this space to gain the maximum amount of information and develop insights into what is best for the organisation and its people.
If a policy states that users should not access outside mail accounts or Web-based mail agents utilising an organisation’s resources, then the risks of doing so must also be explained to them. HR then becomes the department that can develop and enforce policies to protect the organisation from unnecessary litigation, vulnerabilities from outside attacks as well as implement effective controls.
The HR department’s involvement in policy development and implementation must therefore become a part of the solution rather than perceived by the employees as part of the problem which is the basis of sustainable compliance.
Who’s, when’s, why’s and what’s of HR’s involvement
Social media typically poses two major concerns for an organisation and its HR department: namely productivity and security. An employee that spends three hours a day on social media is wasting the company's time and money. Furthermore, since these applications were not designed for business, most don't contain the built-in security measures essential for the enterprise environment.
HR, first of all, needs to identify who in the organisation is authorised to communicate via social media, and why the use of social media is relevant to their role.
Once this is established, it becomes important to assess what types of controls need to be implemented and to what extent they need to be enforced.
The third step is to ensure that in order to monitor productivity and enrich an employee’s experience at work, strategies are in place for when these controls should be enforced or relaxed. For example, should they be allowed to access social media during their lunch breaks or after work or should they have pre-determined times when these controls are enforced, for instance in a call centre during peak hours?
How acceptable does the AUP need to be?
In general, the Acceptable Use Policy (AUP) should be designed to accomplish two important objectives:
(1) Maintain employees’ high productivity levels, and
(2) Keep a company’s network safe from hackers and malware
In order for an AUP to be widely accepted and readily implemented, HR departments should be involved in formulating the policy from the beginning of the process and designing a program that is effective across all departments. HR managers must ideally work with the legal team who play a critical reviewing role; they must then determine if the draft AUP is non-discriminatory, acceptable and enforceable. The finance team should also be engaged in helping to understand the potential financial exposure involved in breaches of the policy.
It is clear that the IT department has the requisite knowledge to create social media policies. They understand the issues and the way the technologies are used. However, it is equally clear that the HR department is also a stakeholder in this area regarding compliance issues and monitoring and enforcing the policy. Yet according to a study conducted by Forrester Research Group, around 40% of businesses have an application policy that was formulated wholly within IT, without the necessary input of other departments, including HR.
In summary, while some software solutions offer the protection and security for an organisation from malicious attacks and data leakage prevention, HR’s involvement in developing, implementing enforcing the policies becomes a critical step towards sustainable compliance from employees. HR managers can control what applications can be accessed with use of application control software and content management, and even more granular control over when and who can access these sites. Ultimately, however, they must understand and appreciate the needs of the employees and the organisations alike and find ways to address both.
Application control technology is the HR department’s ally in preventing productivity sapping network activities while enabling employees to benefit from the new world of work in what has fast become a socially networked workplace in the internet-driven economy.
About the author
Pat Devlin is Regional Director, Australia and New Zealand, WatchGuard Technologies. For further information visit: www.watchguard.com/