Back up your policies with action. Simple communication and trust will not always be enough to handle every situation. "People for whatever reason just can't seem to help themselves," Kirsch says. Luckily, a warning is usually enough to put a rogue employee back on the straight and narrow. The timing and circumstances of that warning can be critical, however. Kirsch suggests using peer pressure. "When a rumor starts that somebody's [using technology inappropriately], you send out a reminder notice of policies or procedures to the whole company or department," he says. "That sends a strong signal."
Sometimes, the situation warrants more serious action. CIOs, in cooperation with a company's legal department and HR staff, should not hesitate to fire employees who consistently break rules and put the company at risk. But jumping the gun can also be dangerous. Employees will sometimes wrongfully accuse each other of misusing technology; a CIO should not recommend termination until he is sure that an employee has committed an offense.
"You have to be cautious to not just look at it in black and white," says Kirsch, whose company has fired employees who abused technology. Simply checking for a user's ID and password in usage logs is not enough to prove guilt, he says. IDs and passwords can leak to other employees. More substantial evidence, such as a confession or observation of abuse by an executive, is preferable when considering termination.
Hafets agrees that, from a legal perspective, companies must enforce policies consistently. Firing an employee might sometimes be necessary, and a CIO who has a hand in that kind of decision needs to make sure that he is willing to let go of anyone else who commits a similar offense. "If the employer has a policy and wants to get the message out to the workforce that it is serious about its policy, termination is a way to do that," he says. "Consistency is going to be important."
Play an active role in developing and enforcing policies. If misuse of technology is causing problems in an organization, the CIO must be on the front lines, monitoring usage and re-minding employees of policies. Act as a member of the executive board, not just as head of the IS department. Both Chavez and Nagarajan say the IS departments at their respective companies determine the policies that govern appropriate use of technology. Kirsch says he wrote his company's policies himself. Other departments come into play in extreme situations such as terminations, but the CIO has the first word on appropriate use of technology.
The issue of employees' personal use of company technology did not begin with the Internet, and it won't end with the influx of file-sharing applications. But actively participating in the evolution of personal-use policies will continue to be a must, since the next kids ready to stir up trouble on the corporate block are lurking around the corner. "You're going to [solve problems], and then you're going to have breathing room, and then you're going to do it again," Srivatsan says. "It's going to be a cyclical process."
This story, "How Personal Is the Personal Computer?" was originally published by CIO.