Archive for September, 2008
Lessons from Yahoogate
Posted by actiance in Compliance, Employee Behavior, Privacy, Public IM, Unified Communications, Web 2.0 on September 24, 2008
They say you can find anything on Google. Turns out it’s especially useful when one is searching for personal data to crack a Yahoo! Web mail password.
In the remote case you missed it: Vice Presidential candidate Sarah Palin’s Yahoo! Webmail was hacked last week, and the contents were posted on Wikileaks. Wired reported that the hacker easily broke into Palin’s Webmail, hoping to find incriminating evidence that could derail her campaign.
We see this happen a lot. While IT installs email and IM archiving software, the workforce moves their personal and sometimes ill-advised communications to what I would call rogue channels. These channels include Webmail, public IM, Skype, and even Facebook. Employees think that management doesn’t monitor or control these tools and it becomes an appealing place for improper or even illegal activity to occur.
Michael Osterman explained this well when he wrote about the lessons IT should learn from the Sarah Palin Webmail hack.
More examples of infamous rogue channel use in recent times include Senator Mark Foley, whose IM conversations with a intern cost him his job. Jerome Kerviel, the French banker who alledgedly cost his company $7B, and Scott Sidell, the former CEO who funneled client lists to himself through Webmail.
What are your employees doing thru Webmail, personal IM networks and social networking sites?
When I ask IT professionals the above question the majority respond (very confidently) that nothing rogue or unsanctioned is happening on their networks. Common responses include, “We block it with our firewall” or “we have a policy against it.” Then we deploy an evaluation unit and provide a report of actual employee initiated traffic and it becomes clear: hope is not a strategy.
As customers move to adopt Unified Communications platforms from Microsoft, IBM and others, I believe the same issue will exist – employees will use personal systems and corporate sanctioned systems interchangeably. IT will have the hard task of managing policies and controls consistently across this heterogeneous environment.
It’s 10 pm, do you know where your ESI is?
Posted by actiance in Compliance, Electronically Stored Information (ESI), Enterprise IM, Public IM on September 15, 2008
… or even what it is?
Back in the old days, TV networks would run public service spots before the nightly news saying: “It’s 10 pm, do you know where your children are?” The fact that the spots ran for twenty years in cities like New York points out that it is easy to lose track of stuff, even important stuff. Which brings me to ESI–Electronically Stored Information. Not that it is as important as your kids, but in the discovery phase of a big lawsuit, it might seem that way. And, like kids, ESI can be surprisingly easy to lose track of.
ESI is the catch-all term for the digitally stored files of litigants in a federal case. During the pre-trial discovery phase of a lawsuit, all ESI is subject to discovery, meaning it all has to be checked for relevant information that the other side has requested to help it prove its case. Only the relevant files need to be actually given to the opposing party, but all ESI has to be checked to make sure all the relevant files have been located and handed over. It sounds simple enough, but it is hard if you are not prepared in advance and a lot can go wrong.
When the e-discovery rules changed in late 2006, there was a lot of commotion about it, and a lot was written about the need for companies to have their ESI organized and well maintained in order to be able to respond to the tight discovery timelines set by the new rules. I don’t think that message has really sunk in though. And now that the rules are no longer “new,” and the commotion has died down, it is easy for companies to lose track of whether they have really prepared to meet the current e-discovery challenges. Yes, the e-discovery market is growing nicely, but more spending is not assurance that the companies really understand all the risks or even the problems they are trying to solve.
As the resident lawyer at FaceTime, I am occasionally asked to talk about e-discovery issues with customers, or on a panel. Sometimes I can tell that a person I’m speaking with just doesn’t want to have to deal with instant messaging in e-discovery, even when IM is used for business purposes in their company. To them, the most obvious way not to deal with it is to make it go away, or more precisely, to take the position that IM logs are not business records and therefore will not be saved.
No saved IM records, no IM ESI, problem solved.
There are undoubtedly circumstances where this is a sound policy, but what I’ve seen is that such a position is most often taken without enough attention to the reality of how easily IM logs are stored in hard-to-find places, and how difficult it is to effectively enforce a “no IM records” policy when employees use IM for business purposes and may need to refer to those logs the way they refer back to e-mail. The company falls into the trap of mistaking its ESI policy, what the company wants its ESI to be, with the reality of what its ESI actually is – i.e., what is actually saved, either inadvertently or surreptitiously against policy.
The resulting danger is that the ESI is there, but the company doesn’t know it exists until too late. My recommendation is usually that if IM is used for business, then it will generate business records that should be maintained and be treated on par with e-mail records for e-discovery purposes.
If the IM-savvy, and sometimes IM-dependent, companies that FaceTime deals with are still coming to terms with IM logs in regard to e-discovery, then I have to believe that companies in general have not moved much beyond e-mail archiving, if they have a proactive e-discovery solution at all. To me, that’s like being happy that one of your kids is watching TV with you at 10 pm. and forgetting about the one you haven’t seen since yesterday.
And the winner is … Yammer
Posted by actiance in Employee Behavior, Enterprise 2.0, Social Networking, Web 2.0 on September 12, 2008
Take a look at the TechCrunch50 overall winner … Yammer.
The company describes the application as “a tool for making companies and organizations more productive through the exchange of short frequent answers to one simple question: What are you working on?“
Yammer is like Twitter with a business plan, and you could perceive the plan as one that ultimately holds companies hostage. Portfolio’s Tech Observer explains
“The service is free to employees, but companies pay to set up corporate accounts that give them the ability to manage their employees, remove users, and set passwords.”
TechCrunch says
“if a company wants to claim its users, and gain administrative control over them, they will have to pay. It’s a brilliant business model.”
Not everyone agrees – here’s another view of the story.
From my point of view, Yammer is yet another example of employees going right past IT when they see an application they like, or one they feel they need to work more efficiently. Some call it the consumerization of IT. Whatever you want to call it, the wave of applications that employees bring to the workplace shows no signs of slowing.
What does Tom Brady have to do with employee productivity?
Posted by actiance in Employee Behavior, Web 2.0, Web Security on September 9, 2008
At the beginning of the season, Tom Brady was a top fantasy football league (FFL) draft pick. The guy can move his team downfield and put up points for an FFL team. But this all came to an “oh-my-god-you’ve-got-to-be-kidding” stop on Sunday when he went down with a year-ending knee injury in the first regular season game.
Now what? For millions of FFL managers the season is in jeopardy - not to mention serious bragging rights. Next step? Join the conversation and start thinking about a replacement for your QB position – even if it means doing it during “work hours.”
And, this is precisely why you should care – not you the football fan, but you the IT fan. Your employees are in the conversation. Some are less concerned about their jobs and much more interested in solving their QB problem, and they’re using Web 2.0 tools to do it.
As I said a few months back in a post about March Madness, scenarios like this occur in organizations every day. And when employers block or put limits on what their employees can do, does it really solve the problem? For example, being overly aggressive with Web filtering controls can drive employees to install anonymizers designed to circumvent URL filtering.
An estimated 19 million people in North America play fantasy football according to the Fantasy Sports Trade Association. In the past 48 hours, more than 2500 Twitter messages (or “tweets”) were sent out regarding Tom Brady and his injury. In the same 48 hour period, nearly 800 individual blog posts were made referencing Tom Brady. Facebook has 225 fantasy sports applications available to its subscribers and over 500 groups alone for fantasy sports. There are countless others available on sports sites, Yahoo and other Web properties.
A recent study referenced by NBCSports suggested that fantasy football could result in as much as $500 million dollars of lost productivity per week. I think we’d all agree that employees are capable of wasting time in several ways. Talking on the phone to friends and smoke breaks are two that come to mind, so I’m not suggesting that if you lock down fantasy sports you’ve solved your productivity issues.
In my opinion, online fantasy sports don’t cost American businesses a dime. In today’s work environment, some amount of personal, online activity is acceptable. However, IT professionals need to maintain visibility so they can make decisions about what should be controlled and to what level it should be controlled.
Is it time for HR to call an audible? After all, it’s not just a network or security issue any more. It’s a business issue and an employee morale issue – and I wonder if HR may have to help re-write the playbook?
Are your employees spending two days a month on Facebook? And is that bad?
Posted by actiance in Employee Behavior, New Internet, Social Networking, Web Security on September 3, 2008
On a recent trip to Europe, I met with a variety of organizations that are struggling with issues around the use of social networking on the company network. It’s a topic of conversation that’s become commonplace lately, as IT managers look for ways best to secure the enterprise network among the changes of the new Internet.
In London, I met with an advertising agency that had done some analysis on the use of social networking, based on its network logs. The agency found that on average across its employee base of about 20,000 worldwide, people were spending two days a month on social networking sites – mainly Facebook. That amounts to about 40,000 days a month.
This is where many companies would say “how can we block it?”
But the reality is that for many organizations, especially those in media and advertising, Facebook is both a business tool and a consumer social network. So instead, the conversation turned toward how we could help them manage and control Facebook use on the company network.
They wanted to discuss how FaceTime could help to facilitate the safe business use of social media tools. They wanted to put controls in place so that employees could use Facebook, but perhaps not have access to all of the applications. And they wanted to make sure that their employees weren’t updating their Facebook status with something catastrophic for their business, like “working on a cool ad design for the new iPOD that won’t be out for three months.” By the way, that’s just an example – I wasn’t meeting with Apple’s ad agency.
In my travels to speak with company leaders about securing and managing their networks, I’m starting to see a growing number of companies that will openly embrace social media after measuring widespread use on the corporate network. With recent predictions from Forrester about enterprise adoption of social media tools, I suspect that I’ll find myself in many more discussions about facilitating, and fewer about simply blocking access to social media.
What do you think? What’s your company’s policy for Facebook use at work?
