Over the years I have consulted for many companies, from really small to really large. I have managed organizations of five users, and of fifty thousand. I realized a long time ago – and have never been shy in saying – that while the two are very different, the truth is that while Enterprise policies can be modified to SMB (Small & Midsized Business), the opposite is hardly ever true.
I was reminded of this recently when a friend of mine who manages a small company lamented to me that he couldn’t get his users to lock their computers when they leave their desks. This is certainly a subject that I am familiar with, and have seen it happen many times in businesses large and small.
In large companies it is easy to decree, and more often than not an IT Manager will get corporate buy-in. The truth is, it is impossible to know who in a large company may be on their way out, or looking for ways to embezzle, or a hundred other scenarios that would cause people to see an unlocked workstation as a prize.
But what about in a smaller company? Say, a company with ten employees who are all family, friends, or at least very friendly. The type of organization where everyone knows everyone’s business not because of gossip, but because everyone shares? The type of organization where everyone trusts everyone and for good reason. Should the policy be any different in this type of company?
Let’s face it: unless you are an IT service provider then chances are that most of the people in the company will not understand IT; they will simply use their computers for their needs, and assume that their computer come on because that’s the way it is. They do not understand IT… and they frankly do not need to understand IT, as long as their computer keeps coming on.
So in a large organization with written Policy & Procedure statements for proper computer usage, it is easy to mandate how users may use their computers. If they are curious about a policy that does not make sense to them then they are free to ask IT about it, but at the end of the day they are not allowed to simply ignore the policies that they do not like, understand, or agree with.
In a smaller organization things can be trickier. For one, there is seldom a written document outlining how people can use their systems, and when there is one, it is usually harder to take any real action against someone, unless the IT department has complete executive buy-in… and how often do you think that is?
When I was at Microsoft there was a written rule that anyone leaving their computer unattended for any period of time must lock it. There was another written rule that we were forbidden from touching anyone else’s workstation for any reason. There was, of course, a third rule that nobody was allowed to enter the office who did not belong there. Okay, we should be covered. On the odd occasion when someone did leave their workstation unlocked, the worst that might happen is that someone on the team would send out an e-mail from that person’s computer that they (the person who had left their unlocked workstation unattended) were buying beers for the team. More often than not, it wasn’t even that.
There used to be a website called www.unlockedworkstation.com. It was a common tool used by IT tricksters to remind people who had made the mistake once to not make it again. I was quite fond of that particular trick… but the page disappeared at some point, and what can you do?
All of these tricks that people play may be cute and funny… but what are the real ramifications of leaving a workstation unlocked? Lost or stolen or otherwise compromised data, people reading compartmentalized documents that they should not be able to, not to mention what they could do if you have passwords saved for your accounting or HR or any websites including banking. It can be costly or disastrous.
Are any of these likely or possible in a smaller, family-type company? Probably not. However there are best practices in IT, and if the Enterprise best practices that apply to large corporations are applied to a smaller organization are generally a good idea… especially when people take their laptops out of the closed and safe confines of their locked office. If they are not used to locking their workstation every time they stand up from their desk, are they sure to remember to do so when they stand up to go to the restroom in a cafe? What about when they are at a client meeting, or trade show? When an action is drilled into you, eventually it becomes a habit that you will do the same every time, whether in private or in public.
I have known a lot of IT Pros throughout my career, and most of them are not megalomaniacal power-hungry fiends who impose rules just to show that they have authority. The policies that they set are not meant to prevent users from working, they are meant to protect the company, and to enable the worker to work safely.
So should a seemingly useless policy like forcing end-users to lock their computers be enforced in small businesses? The answer is yes… just like they should have to change their password every 30-60 days, they should have to have a screen saver, and they should not be allowed to leave corporate secrets on the table at Starbucks. It’s just common sense.
Now getting them to comply… that’s a different fight!