As a Director of Security for your organization, what policies or plans could you implement that might help control or diminish personal Internet use at the workplace? Do you trust that employees will use common sense and good judgment, or will you risk employee backlash when they discover that you’re implementing monitoring software?
Personal Internet usage is one of the identified performance constraint in any organization. It affects work process efficiency and might jeopardize company‘s secure information. Checking personal mails, chatting, viewing unauthorized websites, playing games etc are common “behaviors” exhibited which has a direct impact on worker productivity and performance. It affects the organizational goal when this activity leads to poor quality of work, increased cycle times, loss of vital organizational data to outsiders and breakdown of organization wide Information Systems by virus attacks and spam mails. At the same time, allowing employee to use internet to explore more about his work area skills, will lead to increased productivity. With this view in mind, as the Director of Security, I will attribute the kind of control process to be applied here as greatly related to the “Behavioral Control”, where we track and monitor employee’s actions to see whether it’s good to support the organizational goal (William C. 2007). I would also be inspired by Goldratt’s Theory of Constraints to see this behavior as a constraint that need to be controlled and coordinated in such a manner that expected goals are achieved (Goldratt E.M. 2004).
First of all I will analyze the work processes of each work group (e.g. Developers, Analysts, Supervisors, Managers, Data Entry operators, Customer Service Representatives (CSRs), Support Personnel) and identify their “level” of need to access the internet. For e.g. the Developers, Analysts, Supervisors, Managers and executives need to have access to all the Technical reference web-sites, popular search engines and general commercial websites that they use to benchmark and study. For Data Entry Operators, CSRs and Support Personnel, access will be restricted to a single Search Engine (Google) for accessing authorized websites and Internal Technical References. In general, access to all personal banking websites, porn sites, cultural websites, games web sites, chat sites, popular e-mail websites and messengers is restricted to all employees. The idea is that the work process involved and the nature of internet access required to perform that process efficiently, is identified. Accordingly, standards are set so that every work group member is expected to follow it. Here, the goal is to avoid “misuse of internet”(constraint) and thus reduce the cost incurred via loss of relevant company information (Spoofing, Phishing, Key Logging etc) and compromised company wide Information system (Viruses, Spams, Network Clogging, SQL Injection attacks etc). The standards will be mapped to Firewall rules where the internet access rules for each work group will be defined. Each user access to the internet is checked against the rules and is given warnings when that access is outside his list of authorized access. When the warnings exceeds a limit, the user’s internet access is automatically locked and further disciplinary action is taken (corrective action ).
The control policy that I described above is not a hidden process that the employees are not aware of. It involves both control and monitoring components. Every employee knows the standards and they know that their need to access internet for improving their job performance is already provided and anything more than that is not acceptable. I don’t think in such a case there is need for any negative reaction. Yes, absolutely, I trust that employees will act according to their conscience and make intelligent decisions to maximize their productivity.
1. Williams C. (2007). Management: Control (4th ed., ch. 16). Thomson South Western.
2. Goldratt E.M. (2004). The Goal. A process of Ongoing Improvement (20th An. ed.). North River Press.