Well, another Cyber-Monday has come and gone. According to initial reports, it was a good day for retailers and for customers with lots of deals available. I hope that you were successful with your holiday shopping and more importantly, that you were safe with your online shopping.
For those of you who are still shopping, a few quick security reminders.
- Be very suspicious of any “convenient” link in an email or instant message. Those links can be spoofed in a phishing attack which looks like legitimate advertising.
- Look for the prefix https in the address line.
- If the deal sounds too good to be true, it probably is. If you’re suspicious, take your business somewhere else.
- Make sure your own computer protections (anti-virus, firewall, patches) are up-to-date.
- Always use a credit card, never a debit card. And check your statement carefully for charges you don’t recognize.
The more interesting question, though, may be whether your online shopping was “legal”. It’s called Cyber-Monday because so many people wait until they’re back at work and can use their company’s high-speed connections for their shopping. Are you allowed to do that under your company’s Acceptable Use policy? If you are in charge of setting the policy, should it be allowed?
Dan Lohrmann (of GovSpace fame) wrote an article for CSOonline titled Cyber Monday & Redefining Acceptable Use – Again in which he recaps the history – and confusion – of acceptable use policies. In these days of social networking (Facebook, Twitter, LinkedIn, wikis, etc), it seems so much more complicated. Should we allow it? Should we block it? Is it all-or-nothing or should we try to decide by categories? If we treat all employees the same, how do we accommodate the departments (say, Marketing) with special needs? What are we paying employees for anyway?
Lohrmann rightly says that this is a management problem that goes “back to the basic boss/employee accountability questions” and offers some hope that once Management decides on the right policies, the latest generation of tools can help to enforce them.
I’ll go further and say that despite all the hype, this is not a new problem. Because it’s not a new problem, using tools to cover it over is a placebo. The problem is employee (and supervisor) behavior. You need to know whether your people are getting the work done that you expect and pay them to do. And if not, you need to know that your supervisors are finding it and taking corrective action. If the work is getting done even on Cyber-Monday, why do you care if they spend their spare time at Amazon?
Note: I categorically reject the definitions of “expected work” that are based on hours. In my experience, employees have an intuitive levelset for how much work they should be doing given the pay, perks and culture (and offset by the animosity created by bad managers). Attempts to increase productivity by ‘taking away distractions’ just causes employees to find other distractions. They always have and they always will. The joke about the two-hour rule long pre-dates the Internet.
More than that, I believe that they understand and levelset productivity in terms of business results. No matter how you pay me, if I’m only making one widget an hour, I’m not meeting expectations. On the other hand, if I’m cranking out 150, you have no right to care that I can do it while spending half my day at the water cooler because if you try to push me for 300 I’m going to slack back to the 20 or so that my co-workers average.
To be blunt, if you lock down the computer, you are not going to get that productivity back.
The next question then is why your supervisors aren’t fixing the poor performers. It could be that they don’t understand the expectations. Specifically, you haven’t made them ready to be good supervisors. Or maybe they’re just lazy or, worse, too conflict-averse. Anyone can be a supervisor but not everyone can be a good supervisor. The point, though (and my apologies for the long-winded way around to it), is that technology is not a replacement for good supervision. You need to know what your people are doing. You need to know that work is getting done and done properly. Acceptable use policies intended to affect “productivity” are the lazy way out and using them will get you the lazy-man’s result.
That’s not to say that Acceptable Use policies don’t have a place. Acceptable Use policies should put clear boundaries around how the employee’s behavior can affect the company’s reputation (which is why restrictions on gambling and hate sites are defensible) or how they can affect other employees (the hostile workplace implications of sexually explicit sites) or even how they affect corporate resources like bandwidth (which is why we blocked internet video for the longest time – not because Howard Stern needed censoring but because we’re at the end of the pipe and streaming media usage led to a measurable degradation of business traffic). But Acceptable Use policies must be based on a direct adverse impact to the company. And it must be a clear enough connection that good employees self-censor rather than try to get around the blocks.
Acceptable Use, especially the “productivity” aspect of Acceptable Use, is more than just a management tactics question – it’s a management philosophy question. It’s a question about trust. The answer affects the whole tone and culture of your company.