IT Policy is Not a Daycare
I’ve encountered a lot of bad IT policies over the years, and they all seem to have one common cause: bad management. And I’m not talking about a BOFH here, although there are those too. I mean upper/middle management or owner decisions to use IT policy as employee daycare. The IT policy is not a substitute for the actual management of employees.
Limiting employee access
Whether it’s the Internet, data, or systems, limiting access is often seen as a way to keep employees “in line.” Blocking the Internet is not going to prevent employees from taking breaks or goofing off. It’s not possible to solve poor work ethic and problem-employees by blocking Facebook – these issues must be handled at the human level, and better handled early. Failure to do so is simply lazy management. Implementing Internet blocks to keep people from goofing off is passive-aggressive.
Of course, it’s a good idea to block phishing sites, virus-infected sites, and sites that might be unsafe for work. Even so, if you think you’re getting better work out of your employees because you block Farmville, you live in a make-believe world without smartphones, e-books, analog books, magazines, cigarettes, e-cigarettes, the lunch room, the bathroom, decks of cards, naps, rubber band balls, gossip, or any of a thousand other ways someone can find to waste time, sans-internet.
Granted, limiting access to data and systems is a necessity, depending on the data. HR records, strategy plans, and proprietary company information must be protected. But when it comes to general data and applications, preventing a subset of employees from having access to the tools and information to perform their responsibilities effectively is shortsighted. Interns forced to use webmail and share a copy of Microsoft Office 2003 Student and Teacher edition because management isn’t willing to spring for the subscription to Office 365 is a great way to sow resentment.
Excessive hand-holding
When bad IT policies aren’t helping lazy managers avoid conflict they can be found holding employees’ hands, making sure they don’t poke their eyes out with a sharp password. Printer policies that force black and white only printing; password policies that don’t allow users to change their passwords from those assigned to them by management; email policies that delay all sent mail for a few minutes, you know, just in case; firewalls that log all web browsing activity; blind cc-ing all employees outgoing emails to their managers.
Not only do these policies insult the employees, but some are also downright draconian. If you don’t trust any of your employees you may want to consider seeking professional help. If you’re a manager and you spend most of your day tracking your employees’ activities you should take some time to read up on the negative impact of micromanagement. If you work in an environment like this, get out – sooner or later you’ll be the target of paranoid delusions.
Ultimately bad IT policies stem from bad management practices. Reviewing the IT policies of an organization is a great way to learn how the organization’s managers manage and treat employees. A final warning however: be weary of an organization that has no policies or practices – what does it say about a management team that has no thought about their corporate IT? How much thought do you think they give to developing their other crucial resources?