Mailbag: CIOs and IT Managers Sound Off About Banning Facebook At Work

When I set out to a do a story about CIOs banning social networks, it might have seemed counterintuitive to visit Facebook of all places to find sources. But it proved a good decision, when my colleague, Kim Nash, posted the following to our CIO Facebook forum:

One of our reporters, Chris Lynch, is examining how IT departments craft policies regarding the use of consumer social networks (like Facebook). Do you ban them? Do you allow them? We’re finding that both strategies seem to have their advantages and pitfalls from the standpoint of security and productivity. If you’re interested, Chris is under deadline and would love to hear from you. E-mail him at clynch@cio.com.

The responses I received varied in ideas and tone, and snippets made it into my story. But I thought I’d share all the responses we got in an unabridged form:

Chris,

We have not developed a formal policy position but the discussion within our organization is happening and we do not ban the use of Facebook, although clearly, in the education space there are lots of difference of opinion on the matter. While the focus is social networking there are important links that can be easily developed to support learning and education. Social responsibility and being part of a community are perhaps the most obvious place to start. The application in schools is endless but this is not to diminish the frustrations and concerns that are happening and valid today. It is a new space that teachers and educators need to harness. Of course I can see that this would be very different for businesses, although perhaps that discussion could start/centre on wellness and engagement in the workplace and then develop the creative possibilities from there. Again not straight forward and can see how many organization just dont have the time to thing about or get into it and so its just easier to pull the plug on it.

Dan Turner

Director, Information Management Services, School District #36 (Surrey), British Columbia

Chris,

This is an interesting topic and has pros and cons. Here is a summary of my perspective on this:

Concerns:

– It can become a recreational time suck for employees draining productivity from an organization

– Employees post personal opinion which can be misconstrued as the public position of the company they work for, or leak other sensitive information inadvertently while collaborating with peers across different companies

Pros:

– Its a great way for employees to network and learn what is going on in their field, real time, and get feedback. This is much more effective than the passive trade press or research consumption method.

– Its a great way to reach customers. Like other forms of traditional media, if it draws a large audience we can’t ignore it as a valuable source of feedback from customers or as a way to communicate with customers, or communities of customers.

– People are going to write about you on social computing sites whether you like it or not. You may as well embrace it and at least participate.

So what to do?

Our strategy is to address this through our employee “appropriate use policy” which covers appropriate use of email, IM, and internet in general; make it clear that employees cannot speak on behalf of the company (unless that is their job) and remind employees of sensitive content. >

Banning this kind of technology is like trying to standardize on one PDA device. It’s the safest, most efficient and “IT common sense” thing to do but it’s not realistic. The devices, and social computing sites are here and our employees will bring them into the enterprise. If you ban it then you are really just sticking your head in the sand and losing an opportunity to manage it. If you acknowledge it you can put a policy around it and trust employees to use it appropriately.

My 2 cents. Hope this is useful.

Regards,

Graeme Thompson

CIO

BEA Systems Inc.

Chris,

Currently, we block access to Facebook.com on our network. I have to admit that I am not too sure sometimes if that is the proper call or not.

Banks tend to be somewhat old fashioned and our executive management doesn’t see the need for employees to access sites such as Facebook. In fact, very few employees even have Facebook accounts in their personal life. Therefore, this is not a huge problem for us. I have an account (obviously) and enjoy using it for personal and business type networking. As I use it more, I find more business uses of the site every time I jump on it. The groups are useful to me as I consistently view the conversations back and forth between users.

From an overall security standpoint, Facebook worries me a bit. From a loss of productivity standpoint, it also worries me. I don’t see Facebook being a productivity enhancer on our network because we are very old fashioned. I have kicked around ideas of implementing wikis for internal knowledge sharing, etc., but have nixed that idea for the same reason… It would not be used by our old fashioned towards technology employees.

Thanks,

Chris Rapp | Asst. VP/Director of Technology

Sovereign Bank

Chris,

We might as well ban the whole Internet… What’s the point?

We’re a small company of about 75, and so maybe we have the luxury of taking a more personal approach, but I’d much rather trust employees to get their work done while still enjoying the ability to check personal email, use social network applications, or shop on Amazon when they have a few free minutes – versus engaging our IT staff in trying to prevent them from doing so (even if only from the standpoint of written policy, and nothing more).

With that said, employees are all informed by written policy (which they must sign when they start their employment) of the business purpose of the equipment they are given to use – and the lack of any expectation of privacy around personal communication when using that equipment. Of course, there are still some “checks and balances,”and no one from IT would undertake the examination of anyone’s email or hard-drive without a request from a manager or executive of the company. I know of only a single case where a manager here specifically requested that we remove the IM client from the machine of one employee who was spending too much time chatting with friends outside of the workplace during the day. Otherwise, I think we’ve been fine working on trust…

Finally, as we continue to evolve or business and product offerings, I think it’s really important that we get feedback from our own employees on WHY and HOW “phenomena” like Facebook have such broad interest and mass appeal (even if Facebook fades in a year – and something else takes its place). A fair number of the management team here are over 40. I have a hundred or so professional contacts on Linked-In, but my nieces and nephews in High School and College probably have 8-10 times as many friends on Facebook. Wow – what’s going on there? If we just ban such things to our younger employees, how could we ever hope to understand it from their point of view – and what it might mean to those people destined to become our customers soon.

Best Regards,

Howie Spielman

Chief Technology Officer

Ecast, Inc.

Chris,

I find that as a smaller company you generally don’ have policies in

Place. However, as a business grows into more of a corporate standing, one needs to have policies and procedures in place to protect not only the company interests but also the end user. People in the marketing area might be allowed full access to social networking websites for marketing related purposes. Other companies such as data aggregators in fields that don’t involve social groups should probably not be spending their working time socialising as this cuts into the time spent aggregating data but, this is not to say that people should not socialise. I think the fundamental issue is that Facebook allows you to socialise with far MORE people than what has traditionally been available and subsequently this can lead to more socialising and less work.

To address the question ‘Should you ban Facebook at work,’ one needs to implement an Acceptable Use Policy (AUP) that indicates what is and is not considered acceptable use of the systems i.e. is it acceptable to access social/video/audio or flash game websites during office hours? Keep in mind that in some environments where bandwidth is not shaped/controlled, 20 people streaming video and audio or loading Facebook apps can have an effect on the rest of the companies Internet speed. If it is found that the AUP is not being followed one can apply automated Access Control Lists (ACLs) at the firewall level which can go so far as to regulate access to specified websites between certain times either at a user or global level, for example one can program a firewall to automatically apply access rules that grants access to Facebook only during lunch times.

In short, I don’t think Facebook needs to be banned out-right but there is a level of control that should to be in place.

I hope this sheds some insight into your research.

Regards

Rhys

Chris,

We do not currently ban Facebook at work. And, it has not been

discussed.However, being a member-based organization, we do recommend members not post anything they would not want to be seen by the public. For example, pictures of them intoxicated, etc.

Jay Hall, Manager of Information Services

Missouri NEA

Chris,

We, at Savers, Inc. (www.savers.com) block access to Facebook, along with MySpace. However, we allow access to LinkedIn and Plaxo. The theory being that LinkedIn and Plaxo offer distinct business benefits, without most of the social-networking site risks in the workplace, while Facebook and MySpace do not.

Steve Wales

Manager, Enterprise Systems

Savers, Inc.

Chris,

We have limited by time the use of Facebook and other social networking sites. Users can use these sites for 60 minutes per day. We use Websense that allows for this. 6 times, 10 minutes slots.

>This way we allow the usage but control the people that spend all day in Facebook. However Facebook is the 4 most accessed site in my organization.

Regards.

Nuno Borges

Director of Infrastructure

De La Rue

Chris,

Bans are generally counterproductive.

We use Websense to “guide” users on our network as far as Internet activity. Social networking sites are limited but not prohibited and this policy seems to strike a fair balance between the need to keep users happy and the need to keep senior officers of the company happy.

Good luck with your article.

Trevor L Snyder

Senior IT Administrator, EMJ Corp.

Chris,

We’ve actually embraced Facebook as a development platform at BIDMC

See my blog entry at

https://geekdoctor.blogspot.com/2008/02/rapid-application-development-with.html

John D. Halamka MD

CIO, Harvard Medical School and Beth Israel Deaconess

Chris,

I am in IT and visit Facebook once a week or so, so I am far from the abuser that some might think employees might be doing. I personally think that social networking sites are here to stay and more and more people are using them to keep up with friends, family, colleagues and such. Now in certain parts of the organization it may make sense to block the site altogether, but for the professional, I feel it can be very beneficial.

Thanks,

Erik Watson

IT Business Systems Analyst/Project Manager, Wayport

Chris,

Just got into the Facebook forum and saw your post.

Why would a CIO join it and what would they get from it? Great question, I wonder as well. I use Facebook mainly for friends first, and some business aspects a far second.

Perhaps the problem is Linkedin is not “user friendly” there are no chat rooms or forums to share with others. I prefer Linkedin to connect to people.

Plaxo is getting to that level but still not ready.

I can see where as a company branded site it has some interest and perhaps if I was scouting for new recruits, but if I was a CIO in a major corporation I would be far removed form this sort of thing. And I would think legal would also want me away from it. Too many items in Facebook can cause embarrassments or present challenges to PR if the CIO was part of them. It is just not a secure or private place, in fact it is exactly the opposite.

But I’ll try anything and see if this works better than the website.

Facebook = SecondLife to me, a marketing stunt meant to make older professionals feel “in” but really not much value to be found given the time and effort involved to use them and for what? A better wiki/forum/discussion group?

Maybe for some it is, but really is it going to bring $$$ to us, not as much as Linkedin or our website.

Keith Brooks

CIO/ Vice President

Vanessa Brooks, Inc. an IBM and Lenovo Business Partner

Chris,

I personally don’t believe in arbitrarily banning any form of communication. Most corporations are starved of information flowing from people who know to people who should also know – so blocking a channel intuitively seems like a bad idea.

Sure, there are risks of time wasted and security leaks. But if your employees are wasting time then they’re not being managed. And the security risk is always there, they can smuggle documents out in purses and backpacks, even if every electronic means is blocked.

Bottom line, treat people responsibly. Only remove privileges if people abuse your trust in them. Then they will understand why. Just blocking things before you’ve given it a chance…how does that make employees feel?

Having said that – full disclosure – we have put a temporary block on both Facebook & MySpace. But we did explain why – there is a problem with the ‘image uploader’ that makes it vulnerable to an exploit by hackers. And as soon as we have a workaround or fix, we’ll restore access. Because we’ve taken an open approach, no-one complained. It’s been 2 weeks now and I’m getting as anxious as anybody that it gets restored soon.

Hope that helps.

Kumud Kalia

Direct Energy

CIO & EVP Customer Operations