IT is perceived in mixed ways by users. Some look on the amazing stuff it does and think there must be witchcraft going on in there somewhere. Others think that because they configured their Wi-Fi printer and Sky box at home, they're a genius of computing.
If you're to preserve order, security and governance in the use of your technology, then you need to instil in all your users a handful of simple concepts that everyone from beginner to alleged genius can comprehend.
You may think these are all really basic and obvious, and that I'm getting paid money for old rope to list them here … but I'll bet well under half of you reading this will find your organisation conforms properly to more than half a dozen.
1. Never, ever tell anyone your password
If you let someone know and use your credentials, they can break or steal something and leave your fingerprints all over the crime scene. Drill into users that they should never disclose their password – not even to the Service Desk when they're trying to diagnose something. As the IT person it's your job to give the Service Desk the right facilities to do their job without needing such access.
2. Never, ever use someone else's password
If you use someone else's login, the chances are they may have access to something you don't. You really don't want to become party to information that you shouldn't know – it will inevitably bite you later. As with the previous note on password disclosure, you should put this point over firmly, but with a clear note that they're doing themselves a favour and covering their backsides by complying.
3. You're responsible for your equipment
If you issue company-owned portable kit – which usually means laptops and phones – make them sign for it and ensure that what they've signed makes clear that they have personal responsibility to take reasonable care of it. Of course, if any loss or damage incurred is reasonable (getting mugged, for instance, or something being nicked from a hotel room safe) then the company should cover the loss. And, in my opinion, if it's humorous enough (a user once reported the loss of his expensive pager to my team as “We think my three-year-old put it either in the bin or down the bog”) then that's fair game.
But if someone gets their laptop nicked from the back seat of their car when parked in central London, they're stupid and the agreement should oblige them to stump up the cost.
4. Think when you're sending information
Before you send any email outside the company, think for a second before hitting “send”. If it has attachments, count to 10 before you do so. Are you sending anything that might be confidential or sensitive? Why are you sending it? Are you sure it's within your authority to send it? Is the recipient authorised to receive it? All users should err on the side of hitting “cancel” and consulting their manager or the company's legal officer if there's any doubt.
5. Challenge people
If your company uses ID badges and card-swipe doors, encourage staff to challenge anyone who's not displaying their badge – even if they know them. You can never be 100 per cent sure that someone is meant to be there.
6. Put security before politeness
Everyone I've ever worked with who's responsible for premises or security has bemoaned how hard it is to get people not to “tailgate” – that is to let the person in front swipe their entry card then follow them in without doing so yourself. And anyway, we're all taught that holding doors open for people is good manners. It's a security nightmare, though.
For instance, I was once sitting at my desk when I spotted someone whose Windows account I'd disabled a few hours earlier at HR's request because he'd left at short notice. I questioned his presence, and it turned out he'd come back to pick up something he'd forgotten and someone had held the door open for him on their way in. Happily he was a good guy and the separation had been amicable but that's not usually the case. So be strict about tailgating. And it's actually really easy to get the message across – check out item 10 for how to do it.
7. Report suspicious things
Get your users to report stuff that they think suspicious – either hazardous or with the potential for a breach of confidentiality or process. Give them a way to do so identifiably but with guaranteed confidentiality (never anonymously – you can't follow up). Users are your eyes and ears on the ground – put it across to them that by reporting infringements they're helping the firm.
8. We don't do exceptions
Anyone who has gone through some kind of accreditation for process-based activity (ISO9001, for example) will know that the point of a process is that it's a standard way to do things that ensures uniformity. This doesn't mean that every department has to do things the same way: of course, sometimes you have instances where one or another department has a special system that requires some variation to the standard process.
In such cases you simple encompass the differences in an appendix or a separate sub-process. (My preferred approach is to have a company-wide process or policy that applies to everyone and then detail department-specific stuff separately). What isn't acceptable, though, is for self-important individuals to decide the processes and policies don't apply to them and do their own thing – the common situation being that they're desperate to get a lucrative deal over the line. In a company that doesn't have accreditations, it's bloody annoying and rude. In a company with accreditations, this kind of behaviour has the tendency to cause the ISO adjudicator to take away the certification.
9. Security's the second most important thing
If you drill security and compliance into people, some may be tempted to take it to extremes and over-apply it. If it sounds daft, I've seen it. Make it clear that security comes second to safety: if my secure data vault's on fire and I'm inside, I really want you to break down the door and help me out.
10. Make it enforcible and enforce it
All of the above must be part of what all users sign up to conform to as part of their contract with the company – whether as employees, temps, contractors or part of some other third-party agreement. It's not a big deal – it should be part of the standard employee handbook, after all – and it's hard to think of a reasonable argument why people shouldn't be obliged to work with the company to keep things private.
Be reasonable and fair when enforcing the rules. I'm a great believer that an honest mistake is an opportunity to learn, and I don't beat people for honest mistakes; I help them understand why they shouldn't have done it that way. But if someone does something grossly negligent, get HR involved.
You'll be amazed, when someone gets punted for emailing proprietary information to the competition, how everyone else is suddenly a whole lot more conscious of how they conduct themselves. ®