Internet Access Policy in the Office (Part 1)

Getting connected is becoming a crucial part in the business field. So naturally, an office must has an internet connection. It is just the way to compete in this information age. For office’s management this could opened a can of worm.

Indonesia Specifically

In Indonesia, access to internet is quite expensive, unreliable and not quite widespread. Not many people has internet access at home, most of them are accessing internet in the office. Talking about ethics, using internet at the office should be limited to office’s purpose. Now considering the fact that not all of the employee had internet access at home, the employee used it not only for business related purpose but also their own personal purpose. True, this is a breach of business ethics but the question is, what kind of internet activities could be considered as ‘business purpose’? This lead to a big question on how to manage internet access policy in the office.

Intrigued by this issue, I started this topic on my favorite Indonesian technology mailing list, teknologia, and not surprisingly, the topic received numerous respond which could be read here (in Indonesian) – the discussion is still going there, feel free to join the mailing list and the discussion.

Based on the discussion there, my own experience and also some informal discussion among some numbers of managers and employees, I decided to write this entry and hope, I will do a small survey and research on this issue soon to create some sort of guideline about ‘the best business practice for office’s internet access policy’.

Main Issue

Separation between ‘personal’ and ‘business’ purpose in the office is not very clear. Of course browsing porn sites and online auction to buy a baby crib are clearly defined as personal purpose but when it comes to access ‘social networking’ website, suddenly the fine line between ‘personal’ and ‘business’ is blurring. For example, accessing Friendster is considered as personal purpose, but if the employee use Friendster to look for contact information of his long lost friend in hope to create a business contact, is that a personal purpose? Another example, accessing Wikipedia to gather information about a particular subject could be defined as business purpose, but again, what if the employee using Wikipedia to read a subject about lawn mower (this article exist in Wikipedia, look for it if you don’t believe me) then is that a business purpose (unless the employee is the office gardener, of course)?

Since the nature of the Internet is not strictly rigid, this main issue created headaches among management. Business is always about profit. Profit gained by maintaining productivity and efficiency. While the meaning of ‘productivity’ is becoming vague in this digital era (compared to the industrial era, when productivity equals the amount of product created per man hour), the term ‘efficiency’ is still has solid meaning and valid.

Type of Policy

There are many variations of office’s internet access policies, but I managed to make three basic patterns. Each pattern usually had some shared variables especially in the detail. The implementation may varies but still follow or combine these three:

  1. No access policy
    The most easiest and widely adopted by management. This is a no-brainer. No access means no complexity of controlling it.

  2. Limited access policy
    The management provided the access but limited it with some restrictions. This is the most adopted policy by management. The restrictions are varied from blocking access to some websites (or some keywords in URL), blocking access to different port other than HTTP and/or SMTP (normally blocking the port to instant messenger services) or limiting the amount of traffic for a certain computer (like 50MB per computer per day).

While this policy is the most adopted policy, this is also the most complex policy to implement. Monitoring which website should be blocked will definitely costly and some smart employee might be able to use port tunnelling to bypass port restriction. Limiting the amount of traffic will also need to be monitored since it is possible that the current limitation is actually prevent the legitimate big business data to pass through (especially with the auto refreshing data and [AJAX](http://en.wikipedia.org/wiki/Ajax-%28programming%29 "AJAX definition @ Wikipedia") nature of many of current sophisticated websites).

Although this policy probably sounds good on paper for management, the implementation of it usually creates dissatisfaction among employee because usually the point of view of management is not well translated and understood by the employee. The worst case scenario is the management does not really understand the need of their own employee. For example, it is faster to just open instant messenger and _buzz_ a fellow programmer to ask him/her to send the latest development code than open an email client, type the request, send it and wait for the reply. In my own personal experience at my campus, it was hysterical that I could not access any website with “games” in the URL when I was teaching “Game Design and Programming” course.
  1. Free access policy
This is the dream of most employee but the nightmare for most management. Many managements are reluctant to adopt this policy but there are also some management viewed this policy as &#8216;the service&#8217; for their valuable employee. This policy is vulnerable to abuse and also presenting high risk especially if most employee are not technology savvy. Normally, most <acronym title="Information Technology">IT</acronym> company are implementing this policy, although there are some anomalies, since most of their employee are understand well enough about security issue.

But this policy could also mean the management doesn&#8217;t have the knowledge about how to handle the Internet access. This case is the worst case since this kind of implementation will create chaos.

Many companies implemented the combination of these three basic patterns and usually each department inside the company had different policy. At certain level this was a good decision but only if the management understand the need of each department really well. Was I suggesting that there are some managements who do not understand the need of their own departments? Yes, I was, unfortunately most of time.

So what will be the best practice then? For that I will have to write about management and employee issue first and that will be on my next entry: Internet Access Policy in the Office (Part 2): Management and Employee Issue.