Consulting Journal: Techniques

This article is reprinted from The Consulting Journal
http://www.consultingjournal.com

Techniques: Preventing misuse

by David Blakey

Company resources can be misused by employees without malicious intent.

[Monday 18 October 2004]

Recently, the Ohio Department of Job and Family Services fired a computer programmer because he had been running Search for Extraterrestrial Intelligence (SETI) software on the department's systems. The programmer claimed that this was not a problem as he only ran the programme overnight and at weekends.

This incident should cause consultants to think about how employees use clients' systems. It may also make the heads of consulting practices think about how their own employees use their own systems.

We usually consider two elements. First, unauthorized use of systems by employees is misuse of their employers' resources. Second, some unauthorized use is unacceptable. When we consider this second element, we usually consider those employees who visit pornographic web sites and those who store pornographic material on their employer's systems. There are other uses that can be considered unacceptable, such as employees using their employers' system for their own consulting work. These uses are unacceptable because they put the employer in the situation of incurring cost without recompense or of incurring risk without control.

Some clients may regard the second feature - that the use is unacceptable - as the major criterion in developing and implementing their policies. I believe that the major criterion is the first feature - that the employer's resources are misused - and I suggest that consultants should concentrate on this when advising their clients.

In many cases of misuse, employees state that they were not doing any harm or that the resources were not being used. To me, these arguments are the same as saying that stealing pencils from the stationery store is acceptable, because the pencils were not being used. The pencils - and computers and storage and connection time - have been paid for by the company and are meant for the company's use.

Another reason given is that employees were misusing their employer's system in a good cause. There are two arguments against this. First, it is not an employee's right to decide which good causes their employer will support. Second, if an employer does provide resources, then they should also get some credit. It should be possible for the employer to gain something in return.

Many companies, including consultants, would like to seen as supporting their community. In exchange for the use of its resources, a company may be pleased to support some charities and community orgnaizations. But the company, and its PR department, must know about it. Also, of course, there are issues over which organizations to support. Support for a single religious group may be seen as discrimination or favouritism. Support for SETI may be seen as helping science or as encouraging science fiction.

Here are some questions that you might get your clients to consider.

Would you allow an employee to use your systems to run their own business?
Would you allow an employee to use your systems to manage the accounts of their place of worship?
Would you allow an employee to use your systems to run SETI programmes when demand on your systems was low?

The answers may reflect common sense.

No, and I would make it a firing offence.
Perhaps, if I knew about it.
Maybe, after I had asked my other employees if they could nominate alternative charitable uses.

You can see that this employer could write some simple policies for these situations.

Employees must seek permission to use the company's resources for any charitable or religious purpose for a not-for-profit organization of which they are a member.
Employees must seek permission for any other purposes and must be prepared to put a case for this use to their employer and their peers.
No employee shall use the company's resources for purposes that are competitive to the company's business.
No employee shall use the company's resources for illegal purposes. Note that use of the company's resources for any purpose unrelated to your work for the company without permission is theft.
No employee shall use the company's resources for immoral purposes. Note that the company will define immoral purposes. These include:
pornography of any kind,
incitement to racial hatred,
discrimination on the grounds of race, colour, religion, physical appearance or abilities, gender and sexual preferences.

This is not the final version of the policy. It does provide a greater emphasis on the employer preventing all misuse than on an employee deciding what is acceptable use for them. To return to the original example, the employee may have considered it acceptable to use the employer's resources for SETI. Until permission has been sought for such use, it does not matter whether SETI is an acceptable or worthy cause.