• United States



Cyber Monday & Redefining Acceptable Use – Again

Nov 24, 20105 mins
CareersData and Information SecurityIT Leadership

Trevor usually spends about six hours each year shopping online for Christmas presents at the office. A few years back he would save the final step, making the actual purchase, for his home PC. But now he feels comfortable enough to pull out his personal credit card and empty his shopping cart while still on his work PC. Yes, Trevor (not his real name) knows he is violating the formal acceptable use policy. Still, he silently justifies his actions by remembering his excellent performance appraisals.

Besides, everyone is doing it…           

So he we go again. We’re re-asking the same questions we thought we put to bed years ago. Questions like: Is the acceptable use policy really acceptable? Who can use social networks and smartphones and for what purpose? Digging deeper, how do employees truly decide what not to do online at work?

 In our new world full of social networking sites, personal smartphones, Internet banking, telework and an infinite number of Internet distractions, both managers and staff find themselves redefining acceptable use – again. Despite a decade of training programs outlining cyber threats, employees continue to ignore the risks and push for more Internet freedom. 

Meanwhile, the “consumerization of IT” ensures that the gray areas continue to grow larger and more complex. The hottest new technology devices become must haves for the innovative millennial, even if they pose a risk to business networks or distract employees. Cuts in business and government spending haven’t slowed the trend – with more employees now bringing personally-owned technology to work. Bottom line, the unspoken “acceptable” line keeps moving.  

(In case you’re wondering, Michigan Government’s Acceptable Use Policy states that use of the Internet is for business purposes only. And no, my friend “Trevor” is not a state employee.)

Still, there are plenty of simplistic answers to these questions such as “just enforce the policy 100%,” but that is a bit like saying “just stop speeding on highways” or “eliminate all crime.” Meanwhile, management sometimes looks the other way (in real life) if top performers are delivering results, but crack down for problem staff. Some private sector executives even employ tactics like relaxing workplace rules when salaries are cut. This reaction can become a slippery slope.

Other workplaces openly allow employees to shop at work in their policies. Nevertheless, there are almost always some actions that are forbidden for security reasons, productivity loss or because actions could create a hostile work environment. Bottom line, workplace polices will eventually be tested by some employees. 

Looking at the way we were…

Back in 1997, when I joined state government, you needed a special waiver from the Department Director to use the Internet. There were no filters and few, if any, firewalls to protect (or stop) employees from accessing content on the world-wide web. Granting access was a business decision that tended to be an all-or-nothing proposition. Over time, everyone was given the connectivity and the filters started getting more sophisticated. Policies were created defining “acceptable” online actions.

 Fast-forward more than 13 years, and we’re asking the same questions. However, instead of organizations around the world blocking Internet access, organizations now block social networks and/or specific categories. Some companies are doing fast policy pendulum swings regarding social networks, with many businesses embracing them and others blocking them. The interesting part is that some blockers from a year ago are now advocates of Facebook and several previous advocates are blockers. Shopping, sports websites and other portals are often handled in similar ways. 

While virtually everyone sees the business benefits with reaching customers online, the dark side regarding productivity for the masses is still the six billion dollar question. Regardless of current policies, it seems as if we are all heading down the same path that we did in the 90s, with Web 2.0 substituting for Web 1.0. (Yes, they’ll probably be a 3.0 in another decade. Perhaps that will be virtual worlds, more videos or some other aspect of online life.)  

So what are some answers?

 A recent article from the Wall Street Journal may offer some hints.  The article is entitled: Shunned Profiling Method On the Verge of Comeback. While this article addresses “opting in” as a way to get buy-in from the privacy community on monitoring, remember that there is generally no presumption of privacy on work PCs. These same technologies can help manage the complexities of what allowed and what’s not at work – while improving security. 

 Bottom line, answers require us to go back to the basic boss/employee accountability questions. I think the answer is to build traditional trust, transparency and accountability in the business areas, in the same way we build trust in other areas of office life. Give the supervisor the ability to see who, what, where, and how much their employees are surfing online. This will actually build trust and create the right balance within the ever-changing online world. The answer is more openess in the gray areas, not less.

I know that this sounds like a lot of work. We want to simplify processes and handle everything automatically. But social networking and shopping and “the cloud” can get complicated. How much is too much? Is work being performed or impacted? Are you complying with policies? All these questions require judgment to answer in an “acceptable” way.

Note to vendors: management needs easy to read summary reports on employee surfing activities that enable more trust to be built and management discretion to be applied.  This might even help during the holiday shopping season. 

Back to Trevor, who has just heard about this article from his co-workers: Wal-Mart offering free shipping for online buys . I guess it’s time to check out the Black Friday sales.


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author