The Southern Alberta Institute of Technology (SAIT) in Calgary makes it clear to students every time they turn on their PCs that certain computer activities are unwelcome. Judging from a survey conducted on behalf of a Canadian anti-piracy organization, many corporations could learn something about computer management from this school.
SAIT pushes a note to students when they boot up their PCs, telling them what is and is not allowed on SAIT-owned computers.
“It…identifies probably three or four policies that we have, both academic and administrative, that deal with the issue of acceptable use, what kinds of sites they should or shouldn’t go to,” said Peter Kehler, SAIT’s director, information systems. “It also identifies our ISP’s acceptable use policy, because we’re bound by that as well.”
SAIT is up front about its computer use policy. According to the Canadian Alliance Against Software Theft (CAAST), many companies are not so forthright. In a Decima Research Inc. survey conducted for the anti-piracy group, 42 per cent of respondents said their companies never outlined corporate policies regarding software downloads, installations and using unlicensed apps on workplace PCs.
CAAST also said 37 per cent saw nothing wrong with installing software on their office computers without checking with the IT department first. Twenty six per cent said it was easier to ignore IT and simply forge forth with the installation themselves.
All of the above suggests to Allan Steel, a CAAST director, that corporations are not communicating clearly — if at all — their computer-use policies to employees.
“Many companies do not sit down and go through with employees, as part of the standard hiring practice, how they can use computers and what the company policies are,” he said.
How can companies ensure that employees know the corporate acceptable use policy for PCs? Simon Tang had some suggestions. He’s senior manager, security services at Deloitte, a business consulting firm.
Tang said companies should start with clear policies that describe what’s not allowed, what could happen to workers if they don’t comply, and how the company monitors for rule-breakers.
“If the employee knows the policy…and knows the company is watching, right from the get go the employee isn’t trying to test the policy,” he said.
Tang said companies could use network management tools like IBM Corp.’s Tivoli products, Hewlett-Packard Co.’s OpenView and Microsoft Corp.’s System Management Server to search company hard drives for unauthorized material. He also said companies could set PCs running Microsoft operating systems to disallow software installations without the IT manager’s say-so.
But technology alone is not the best way to fight unauthorized computer use, Tang said. He noted that it seems for every tech-based solution there is a workaround that the enterprising employee could use to circumvent protective measures. For instance, a company could use network-monitoring tools to watch for and forbid “.mp3” files — music files — on the network. But there are other tools online that turn mp3s into “.zip” files, so they scoot under the monitor’s radar.
Companies should consider education and communication alongside technology to curb unauthorized computer use. “As close to a silver bullet would be the three things working together — employee awareness, having the policy in place and having technical mechanisms.” Tang said.
At SAIT, the message that students see about acceptable use when they boot up their computers works hand in hand with the post-secondary institution’s academic and administrative arms. Kehler said it’s up to faculty and staff to decide the consequences when a student misuses SAIT-owned devices.
It’s not an IT issue, Kehler said. “I enable people with technology. That enables them to do good things and bad things.”
Students know the score early in their career at SAIT. The computer-use policy, the consequences, “that’s outlined during their orientation,” Kehler said.
Steel from CAAST said it’s important for companies to get a handle on employee computer use, starting with communication. “Safe computing practices are becoming more and more important. We keep building protections against spyware and viruses, but one of the best bets is prevention — knowing what you put on your PCs and knowing what it’s being used for.”
On its Web site (www.caast.org) CAAST offers guidelines, best practices, and sample policies for businesses to use, Steel said. The organization also has free auditing tools that let companies search their own IT infrastructure for unlicensed software. Steel said none of that information would make its way back to CAAST via the auditing tools. CAAST is known for seeking out enterprises that use unlicensed software, and having those companies fined.