Facebook/YouTube/Myspace access during office hours 6

[chriscboy]

Hi,

The head of our dept has asked me whether we should allow our employees to have access to Facebook/YouTube/Myspace so that they can find out information about our customers / prospective customers.

I personally think this is a bad idea as I believe these apps are productivity killers and should only be used outside of work.

Do you have any policies/suggestions regarding the above? I would be interested to hear your thoughts!

 

[kmcferrin]

Realize that your employees often put in long hours, and often have to end up working from, or taking work home. In that case they often have to use personal PC, ISP resopurces for work, so it is not that big a deal to expect a little turn around at work.

That's not always the case. In many professional jobs this is true, but there are also a lot of positions where it isn't possible for employees to work from home.

For example, I used to work at a hospital. The people who usually ended up working from home were the IT department, executive team, department managers, and people in the finance department.

People who couldn't work from home because their job required resources that couldn't be provided remotely were receptionists, patient registration department, patient accounting/billing, and the entire clinical staff (which amounts to about 90% of the staff). I suspect that there are other companies where they have call centers, data processing centers, etc, where working from home is not an option.

Don't get me wrong, I agree that in many cases it's reasonable to assume that if you're expected to occasionally work from home that you might sometimes do personal business at work. But that's a far cry from assuming that because you sometimes use personal resources for work that you should be allowed to do whatever you want with work resources to compensate for it.

The IT department does have a responsibility to secure and maintain their environment. The company does have a responsibility to maintain a professional, harassment-free work environment. To meet both requirements, they can and should limit access to inappropriate or dangerous sites. You can still use the company computer to check your bank balance, pay online bills, book your vacation, etc. You can still use the company phone to check in with the babysitting/daycare facility, call and make personal appointments, etc.

Get real, and stop your whining, do your jobs, and deal with it.

The reality of it is that you're not legally entitled to do anything with work resources that your employer has forbidden you from doing. The reality is that you're at work to do YOUR job, not fart around on the Internet. Most reasonable people will understand if you take care of some personal business at work, but that doesn't give you free reign to do whatever you want. Finally, by restricting access to certain sites, we ARE doing our jobs. You may not like it, but it's not YOUR job to dictate to the IT department what THEIR jobs are.

 

[harebrain]

The people who usually ended up working from home were the IT department, executive team, department managers, and people in the finance department.

People who couldn't work from home because their job required resources that couldn't be provided remotely were receptionists, patient registration department, patient accounting/billing, and the entire clinical staff (which amounts to about 90% of the staff).

Which demonstrates that a "one size fits all" policy is rubbish. Developers often need greater permissions and access that isn't generally available to the rest of the workforce. IT regularly grants itself permissions that others don't have; it shouldn't be that difficult for IT to recognize when others have similar needs. To echo your last remark, it's not up to IT to tell me how to dumb-down my job or present impediments to getting the job done.

Deal with the problems rather than assuming everyone is a problem. Stringent policies are usually the result of a gutless management that won't deal with problems, i.e., fire the miscreant who disrupts the workplace.

Most of us don't need a mommy or Big Brother to tell us how to behave anymore. Anyone who does need that doesn't belong in a professional workplace.

 

[kmcferrin]

To echo your last remark, it's not up to IT to tell me how to dumb-down my job or present impediments to getting the job done.

I'm not sure how your job requires access to Myspace or Facebook. I'm not saying that it doesn't, just pointing out that for the overwhelming majority of the workforce it would be unnecessary.

Also, while I appreciate that you understood the comments about maintaining a harassment-free and professional workplace, you clearly missed the part where I mentioned security.

In general, it is the company's responsibility to provide you with the resources to do the job assigned to you. If that requires access to specific web sites, then so be it. But the IT department also has a responsibility to protect the systems and network. And to be honest, the average user has a great deal of trouble telling the difference between a safe web site and a malicious web site. If someone sent your workforce an email that says "click here to see the dancing pig video" then a significant portion of your workforce will do so, and possibly install any "software" or (more likely) malware that comes with it.

Even when I'm surfing the web on my home PC, I regularly get warnings from my antivirus/antimalware software indicating that I am accessing a "dangerous" site. Usually it's because of third-party ads that are being displayed on the site. But if a very savvy and security-minded user like myself is inadvertantly hitting dangerous sites while browsing, how much more likely are non security-savvy users to be to hit more and worse sites?

It's absolutely reasonable and expected for a company's IT department to block access to dangerous or potentially dangerous sites.

Developers often need greater permissions and access that isn't generally available to the rest of the workforce. IT regularly grants itself permissions that others don't have; it shouldn't be that difficult for IT to recognize when others have similar needs.

This is irrelevant here. We're not talking about restricting someone's security permissions in a way that impedes their ability to do their job. We're talking about blocking access to web sites that are either dangerous, very clearly not business related, or a potential liability.

That's right, I said liability. I don't know where you live, but here in the states people file lawsuits at the drop of a hat.

Deal with the problems rather than assuming everyone is a problem. Stringent policies are usually the result of a gutless management that won't deal with problems, i.e., fire the miscreant who disrupts the workplace.

I agree that it's not reasonable to assume that everyone is a problem, but it is reasonable to look at everyone is a potential problem. When companies restrict access to certain classes of web sites they aren't doing it because they think that everyone is a problem. They're doing it to protect themselves from "that one person." It could be "that one person" who manages to get their PC infected with malware that multiplies and takes down the network, costing the business time a money.

It could be "that one person" who surfs porn half the day and makes female co-workers feel creeped out. If a company allows a user to create a "hostile work environment", they could be found just as culpable in a sexual harassment suit as the individual doing the harassing. Even if the company manages to clear it's name in a lawsuit, it still has to spend money to defend itself.

No, it's far easier and much more sensible to just use reasonable filters. You're already filtering for malware. Most web filters also include additional categories like "porn," "gambling," "terrorism/extremist," "illegal drugs," "hacking/cracking," "social networking," and so on. For most lines of work there's no need to access those sorts of web sites, so why not filter them? At the very least you're saving a little bandwidth/productivity. At most you're saving a lawsuit. I just don't see a downside to it.

 

[harebrain]

No one who proposes or enforces the restriction of someone else's liberties ever sees the downside.

Here's the downside for you: users are adopting newer, personal technologies faster than IT departments can get a handle on them. Circumventing the IT department makes it irrelevant. And whatever is irrelevant doesn't last.

 

[Dollie]

In a private company, any liberties you may have at home or outside company premises do not apply. Neither does free speech. Constitutional liberties are guaranteed by the government, and enforced against the government. They do not apply to private industry or individuals. (And yes, that's a topic for another thread on another day.)

Most people in IT realize that the ones who worry about security are a step behind those working to get around the security. It's a constant battle, and it's called 'job security'.

Simply interpreted: my network, my rules. If my users really and truly want to spend their day watching youtube videos and working on tweaking their facebook/myspace pages, I'll happily direct them to the HR department where they can turn in their resignations as they won't be able to access the sites after I block them at the firewall. We have more than liberal policies about internet usage, but we'd still like to see people actually working while they're here at the office.

 

[harebrain]

Anyone who believes that goofing-off is a product of the Web simply hasn't been around very long. Lock it all up, shut it all down, those with the inclination will still do something other than work.

And anyone who thinks that all "goofing-off" is bad is wrong: those are the activities that break mental blocks and stimulate creativity.

In a private company, any liberties you may have at home or outside company premises do not apply.

Really? Any? It might be a topic for another time and place, but you are quite simply wrong.

 

[Welshbird]

For those in Europe, article 8 of the human rights act might be slightly relevant

Article 8 provides that everyone has 'the right to respect for his private and family life, his home and his correspondence'. There is a clear risk that monitoring an employee's private telephone calls or emails in the workplace could be a breach of this right. Similarly, the imposition of unreasonable mandatory dress codes or drug testing at work and the use of CCTV data may be an infringment.

Admittedly this doesn't cover Facebook (and as such is slightly off topic) but it does cover personal emails, telephone calls etc.

Fee

The question should be [red]Is it worth trying to do?[/red] not [blue] Can it be done?[/blue]

 

[kmcferrin]

No one who proposes or enforces the restriction of someone else's liberties ever sees the downside.

Here's the downside for you: users are adopting newer, personal technologies faster than IT departments can get a handle on them. Circumventing the IT department makes it irrelevant. And whatever is irrelevant doesn't last.

I'm not sure how it is that you think that you can make the jump from restricting non-work related sites from users at work to being a violations of liberties. That's a ridiculous jump there.

Regarding the latter, circumventing the IT department doesn't make it irrelevant, it just sets you up for trouble. Technology does tend to advance rather quickly, which is why companies have IT departments to begin with. Someone needs to analyze the new technology, determine how it could affect the business direction, determine whether it can help the business be more effective, and how best to integrate the technology into their existing infrastructure and then support it afterwards. Most end users don't think about those sorts of issues, so they tend to see IT as being "behind the times" or "getting in the way of progress." But what they don't recognize is that improperly implemented technology also has a cost to it, and not just in the form of failure to achieve the intended results.

A good example here is in mobile messaging. Right now the two prevalent standards are Blackberry and Outlook Mobile Access. When the issue of mobile messaging came up at my employer we had to decide which was the best way to go about it. We ended up choosing OMA over Blackberry because we already had all of the resources that we needed. It's fully integrated into Exchange 2003 and Outlook Web Access, so no extra licenses were required and configuration was easy. Also, most carriers in the US sell OMA-capable smartphones/PocketPCs. On the other hand, Blackberry requires a separate server application which usually runs on it's own server. Also, the number of carriers providing Blackberry capable devices is more limited.

Of course, after we selected, announced, and implemented OMA there were still people in the organization who went out and bought Blackberry devices, then got angry with us when we wouldn't support them. Mainly they were upset because the sales rep who had sold them the phone told them that it worked with Exchange. Of course, what they didn't tell them was that it required Blackberry Enterprise Server or a client to be installed on the PC that ran all the time with Outlook open that forwards mail over the Internet in order to get it to work with Exchange. Which meant that even if the end users DID circumvent IT by installing the client on their PC, the "road warrior" types with laptops still never got their mail forwarded because their laptops where in their bags.

The problem is, most end users take the same sort of attitude that you do, i.e., IT is screwed up, we'd be better off without them, they don't do anything to add value. But that's because most end users don't have the slightest idea what it is that IT departments do (and of course, there are undoubtedly a few bad IT departments). There have been increasing regulations applied to businesses and government entities regarding data security, especially in the area of protection of private data. When end-users try to circumvent the IT department, they compromise security.

A computer security breach at a company that results in loss of customer data, (names, addresses, SSNs and credit card numbers) could result in a huge PR issue, not to mention fines, fees for credit monitoring for their customers and legal costs. Not to mention the legal penalties that could be imposed for failing to comply with SOX or HIPAA.

And I don't think that anyone reasonable expects that by blocking some sites they will be able to eliminate all "goofing off" at work, or all web-based security risks for that matter. There is no such thing as a 100% effective solution for most needs, but there are some good solutions that greatly mitigate the risks and make it much harder for people to goof off/compromise the network. Mostly it's about raising the bar. If you can deter casual goofers, then the only people who will be goofing off will be people willing to make a concerted effort to circumvent IT policies and systems, and those are definitely the sort that you don't want around. If you can prevent the most common (and simple) malware infection vectors, you can eliminate a huge security risk.

A great example: at that hospital where I worked our helpdesk staff was constantly having to deal with computers that were malfunctioning due to spyware/malware infections. Users had wide-open Internet access and were downloading software (even though that was a violation of the AUP), as well as inadvertantly getting systems infected. The Helpdesk techs were each spending a 2-3 hours a day to rebuild and redeploy systems that had been compromised, or otherwise cleaning up infected machines. After we implemented web filtering we were able to almost totally eliminate these infections. Afterwards they very rarely had to deal with a spyware infection or rebuilding PCs that were bricked from malware. The total time savings for that department was nearly 40 hours per week. That's one FTE that could be freed up to work on other, more important projects.

Why is it that you keep ignoring the security implications in your responses? Is it because you know that you don't have an argument against it? Because the security issue on it's own warrants use of web filtering. You could completely throw out the argument about people goofing off, creating a hostile work environment, etc, and best security practices would still dictate that you filter web access.

 

[Dollie]

Really? Any? It might be a topic for another time and place, but you are quite simply wrong.

This is a topic that typically comes up during election years, because there is always at least one employer somewhere that will ban a party's bumper stickers, not permit speech about specific political candidates, or something along those lines. It also comes up quite a bit in USENET (aka Google Groups to those under 30) as well in moderated forums ("You deleted my post! You're violating my freedom of speech!").

In a public arena, you can generally say anything you want (like a student asking questions of a senator at a major university) (Don't tase me bro!). If an employer does not want someone espousing the pros and cons of Neo-demopublicans, a policy can be created. This isn't a violation of the 1st amendment. If an employer does not want loaded firearms on company property, this is not a violation of the 2nd amendment. Just as the right to privacy isn't covered in the constitution and the Bill of Rights, the right to goof off at work and thumb your nose at your employer aren't covered either, but they are assumed rights.

Basic liberties are different from laws protecting employees from employers and vice versa. We have laws mandating safe workplaces, threat-free workplaces, as well as sexual and racial neutrality.

Overall, it basically is the same thing as an admin saying "my network, my rules." The business owner (or whoever runs it) can say "my company, my rules," and my grandad can say "get off my lawn you durned kids!".

I hope I didn't rub anyone the wrong way, and I certainly didn't mean to start a flame war. I just wanted to explain my POV as far as basic liberties of an individual versus the basic liberties of a business owner. I'm just not sure if I accomplished that, or if I went overboard with my explanation. My apologies if i did/didn't!

And I still don't see the need for youtube, myspace, and facebook at work during working hours. Finding other ways to goof off should be a department.

 

[harebrain]

Why is it that you keep ignoring the security implications in your responses? Is it because you know that you don't have an argument against it?

Not ignored in the least: you quoted it and still missed it.

When users circumvent IT by using personal technologies, you've lost the game. Company data exists in managed servers on external services (gmail, Blackberry, etc.) and the company has NO way to protect or defend that data from malicious use or legal attacks. Google gets subpoenaed to produce your company's data? Will Google defend you? What standing do your company's lawyers have? And do you know that the French government has prohibited its employees from using Blackberries, and why?

And speaking of a "ridiculous jump:"

The problem is, most end users take the same sort of attitude that you do, i.e., IT is screwed up, we'd be better off without them, they don't do anything to add value.

Read carefully and don't put words in my mouth. This is not my attitude, I've simply reported what is happening. But I do know that ham-handed management and sloppily implemented policies create problems for users and customers. Did I say that IT is bad? No. But it has to get better and get over the notion that IT is in control. It isn't. Adopt a service mentality, rather than the common, adversarial mentality.

My last two employers had vastly different styles with respect to IT: one was relaxed, the other was knee-jerk, lock-it-all-down stiff. Yet the former was more secure, and the latter made it difficult to do your work. You do the math.

 

[aarenot]

If it is not porn, and is a major companies site, low risk, it should be allowed. If not, dont call me on my personal cell phone, expect me to access email from home, or the web from home, plug a lappy into my home power, or use any personal device for company business including charging the company cell phone in my power port in my car. After all, my network, my rules, including my cellular network, and power distribution network in my home or car.

 

[kmcferrin]

Harebrain:

When users circumvent IT by using personal technologies, you've lost the game. Company data exists in managed servers on external services (gmail, Blackberry, etc.) and the company has NO way to protect or defend that data from malicious use or legal attacks.

I think that this is a completely different issue than blocking access to non-work related sites. If you lock down the work environment to secure data, that's one thing. But it's not the same thing as not providing employees with the tools to do their jobs, which is what you seem to be saying is what will cause users to circumvent IT. It's also not the same thing as not keeping up with technology, which seems to be the other thing that you claim will cause users to circumvent IT. Not that you don't have a valid point there, but I don't see a connection to blocking Myspace and Facebook from work systems.

aarenot:

If it is not porn, and is a major companies site, low risk, it should be allowed.

That depends on what you mean by "major company". Most of the online casinos are major corporations. Ebay is rarely work related, but it's a major company. Same with Myspace, Youtube, and Facebook. For that matter, World of Warcraft and other MMOG sites are owned by major companies, but I'd prefer that my employees work most of the time. Don't get me wrong, as I've said it's beneficial in most cases for employers to look the other way when it comes to a certain amount of personal business done on company resources, but that's still not a blank check.

If not, dont call me on my personal cell phone, expect me to access email from home, or the web from home, plug a lappy into my home power, or use any personal device for company business including charging the company cell phone in my power port in my car. After all, my network, my rules, including my cellular network, and power distribution network in my home or car.

You can take that attitude, but I think that most professionals understand that there's a certain amount of flexibility involved in their professions, especially IT. People who are unwilling to be flexible when needed undoubtedly find it more difficult to attain gainful employment. It's easy to be militant about something online, but when push comes to shove and it comes down to keeping their job, most people opt to be flexible.

Don't forget that in many cases being able to work from home is a benefit to you. If you don't want us to call you on your personal cell phone, we'll issue you one and you'll have to carry two phones. If you don't want to use the company laptop on your home power or ISP, that's fine. But if a server has issues in the middle of the night you will be expected to drive into the office and fix it rather than connecting via VPN.

So it does work both ways.

 

[harebrain]

It's also not the same thing as not keeping up with technology, which seems to be the other thing that you claim will cause users to circumvent IT.

If you got that from anything I've written, you're reading way too much into it. As I've admonished before, don't put words in my mouth. This is obviously a hot-button issue, and people are bringing a lot of baggage with them. (I admit it: so am I.)

 

[Dollie]

So basically this ends up being the OP's, and individual administrators, decision as to whether Facebook, YouTube, and MySpace are allowed or blocked.

Hopefully chriscboy is still with us and has been able to make the best decision for his specific company and will be able to decide the merits of the arguments of liberties, conduct, and whether or not goofing off should be an acceptable form of work.



Cheers!

 

[harebrain]

Hopefully chriscboy is still with us and has been able to make the best decision for his specific company and will be able to decide the merits of the arguments of liberties, conduct, and whether or not goofing off should be an acceptable form of work.

Arrgh! And whether the future of IT at YOUR organization includes YOU and IT as YOU know it.

(Note to self: get 2x4, whack mules.)

 

[GLComputing]

We were forced to look at this after a staff member at a friend's business started a Sexual Harassment action because of videos another staff member was downloading and playing... the matter did get resolved without to much pain, but it made us look at the risks.

There is also the issue of someone from your network posting something that might be illegal, questionable or even something that is a corporate secret.

As well, the increased threat of malware from some of these sites creates an additional risk and increased work for you.

We now block all "social" Web 2.0 sites and IM producs (and web sites that allow you to IM without the product) ... we can then grant access to any user who has a specific and legitimate requirement

As an additional benefit, it's surprised us how much bandwidth was being used on these videos, etc that is now available for work.

Not one of the staff has expressed a problem with this as we explained the reasons to them once the decision had been made

I believe in the princple of BOFH

Regards,
Mike Lazarus
ACT! Evangelist
GL Computing, Aust

http://www.GLComputing.com.au

 

[IRLASCHU]

All blocked here forever and any new sites that will come online in the furture I intent to block with no exceptions.

 

[GLComputing]

Interestingly, I read recently that quite a few businesses are having to allow Facebook, etc in order to attract/keep staff (especially the younger ones).

This is further shown as being relevant be virtue of RIM adding a free Facebook applet for Blackberry smartphones which are primarily business devices.

Many younger people now prefer WEB2.0 and IM over email or SMS for communicating and this is likely to be a continuing trend

Times change and those in IT need to really work to make the access secure... both from incomming attacks and users posting internal information in social.

Not sure how long IT can dictate these decisions once LOB managers decide to either use them for business or offer them as a benefit.

From a security perspective, burying our heads in the sand means we won't be prepared when (not if) these become standard practice for business users.

Even this site has WEB 2.0 facets in that the content is produced by we users... there is a risk that even here a user could post something they shouldn't or spend to much time readin threads with marginal relevance.

Regards,
Mike Lazarus
ACT! Evangelist
GL Computing, Aust

http://www.GLComputing.com.au

 

[aarenot]

KMC,
I think you turned my message around somewhat. There are policies, and they are able to be made flexible for people who have to sit round at night waiting in an empty office in the server room.
My statement also had all inclusive conditions which included low risk as one item in a list, and you singled out "major company" forgetting "low risk" as one of the qualifiers.

Oh, and let us be real. Working from home is a benefit to the employer after hours because it allows the company to not have 24/7/365 on site staff to handle issues that would otherwise stop business. Without remote access the IT department would have to fund on site staffing, security, and supervision. Otherwise, if the employee would have to be contacted, go home to pick up any needed items, then commute to the office( 1.5 hours drive?), maybe three hours to arrive at the office they would just have to add some staff in IT on the clock in shifts 24/7/365 at least in an IT control center role. So do not give the BS of saying it is a benefit to the employee to be allowed the honor of working from home at 3 AM. In that situation a laptop with wireless ISP from a cell company at the companies expense is not out of line in any way. It is flexible enough to even bring the stupid lappy with you to Christmas dinner at grandmas dude.

If you are trying to sell being allowed the honor to remote access from home at 3 AM is something I should be grateful for, NO SALE! It is a staff reduction tool, not a convenience for me, and without it the now laid off overnight IT guy would just have to handle it.

 

[GLComputing]

On the note of remote tele-commuters, I remember when ACT! 2.0 for DOS first allowed sync nearly 20 years ago, one of the early clients (AT&T) purchased about 100 licenses and laptops for a number of sales teams and closed those offices. The reps worked entirely on the road... appearently, they save a fortune in rent and it was a significan success.

The tools to do this have imporved greatly since then... they can do essentially the same with a Blackberry (instead of a notebook) - but you still need to report on the work done and ensure the users are still doing the same work.

Obviously, with IT staff, the late night shift can provide nearly the same performance unless the internet goes down.

How this would work for others depends on the type of work, the responsibility of the users and the corporate culture.

Regards,
Mike Lazarus
ACT! Evangelist
GL Computing, Aust

http://www.GLComputing.com.au