November 13, 2012
How does IT communicate policies to users? “Ball bearings,”I saw one IT Director say on Spiceworks. “Good-sized ones with raised text of the policies on them. Then take a slingshot, and…” okay so maybe whacking users in the face with policies isn’t the most peaceful solution, but they’ve got to get the message somehow, right? It’s a difficult task that IT departments have been dealing with for years, so what is the secret to communicating with end-users? As it turns out, there really isn’t one. In fact, IT knows more about what not to dorather than what to do. That being said, there are certainly some strategies your company should be using to spread the word about policies. Here’s a look at three of them:
1. Get Support From Human Resources
Seth Morgan, an IT Systems Analyst, says his company uses the HR department to its fullest, making sure they have all users sign-off on IT policies. But it goes beyond forcing users to sign on the dotted line—HR needs to have a solid comprehension of the policies. “Human Resources, like IT and Accounting is one of the most trusted organizations within any company,” Morgan said. “So making sure that they understand the policies they are forcing employees to sign is a must.”
2. Communicate the Reason for the Policies
Using HR to understand and spread the message is important, but if no one knows whyit’s important, you’ll have a hard time getting users to adhere to the policy. “Many times users don’t follow policies because they don’t see the point,” Network Administrator Christopher Vetter said. “If they understand why taking a few extra steps will dramatically increase security, they are much more likely to adhere to that policy.”
One IT Manager at a Healthcare company found a rather creative way to demonstrate the importance of IT policies. “Just for fun I turned off the spam filter for a night and people were horrified at the amount of spam they received,” he said. “I quickly sent out an email stating that the spam filter was malfunctioning and it should be fixed now. I also mentioned in that email that approximately 98% of spam that comes into the company is blocked and the amount they received overnight would be a regular thing if we didn’t have a very finely tuned spam filter.” Since then, not one person has complained about something that “magically makes it to their inbox.” Do we advocate torturing your users with spam to get a message across? Probably not, but you should come up with unique methods to show how important your department’s policies are to an organization.
3. Enforce Them
This may sound obvious, but many organizations have a difficult time enforcing their policies. “The kicker is enforcement—if you do not follow up with violations of the policy, then end-users will not respect it,” Morgan said. Enforcement not only includes notifying those who ignore them, but also finding the holes in your system and fixing them. Vetter says his company uses first offenses as a way to improve their system and policies. “When you notice a user that is not following best-practices or is in breach of network policy, ask them why they are doing what they did,” Vetter said. “For instance, if a user is using a thumb drive to transfer files between office computers or is sharing a folder on their desktop, perhaps the network storage is too complicated for them. Ask them why they are using the thumb drive and what you can change to encourage them to use the systems that you have in place.”
How does your organization communicate policies? Do you think IT needs to improve in this area? Let us know in the comments section.
Posted By: James Sweeney