How employees get around IT policies and restrictions

The policies that IT departments put in place are there to protect corporate data, but workers often go around those blocks to get work done.

Thanks to mobile devices, cloud services, mobile apps and MiFi hotspots, end users can get around even the most...

stringent IT policies. But how do they do it?

To understand the answer to that question, it's important to take a look at the restrictions a typical company might place on employees and contractors. That way, you can take the appropriate steps to limit the loss of control over data.

Most companies have a mixture of personal and corporate-owned devices, which means there's a mixture of IT policies that apply to each. Many businesses also have some kind of enterprise mobility management (EMM) tool to enforce those policies and monitor devices, data and apps. Some businesses even have bring-your-own-device or security policies that outline usage rules for employees who use their personal devices for work.

Common rules that an IT department may lay out include:

  • only allowing employees to connect devices with a certain mobile operating system to the corporate network
  • not permitting workers to use jailbroken or rooted phones
  • prohibiting users from changing the SIM cards in their phones and tablets
  • banning specific tools and services, such as cloud vendors and MiFi hotspots
  • enforcing certain levels of encryption that let EMM tools hook into users' devices

Despite all those IT policies and restrictions, employees want to use personal devices for work because it allows them to be more productive. Agreeing to these IT-enforced policies usually gives workers the ability to access company email, use remote desktop tools or virtualization to access their files and use company-approved apps.

How and why do employees circumvent IT policies?

Admins often give users who violate policies the benefit of the doubt because employees don't always break the rules for malicious or vindictive reasons. Rather, workers may not even know that certain actions break a company policy. That being said, thousands of breaches occur daily, and they can cost companies millions of dollars.

Breaches can occur when employees store company information in third-party cloud services or when they use a blacklisted app, jailbroken phone or other device that does not meet the company guidelines. Employees who violate policies usually do so to be more productive. For example, many companies require workers to "remote-in" to access files from a mobile device. An employee may find it easier to store those files in a personal Dropbox account and then access them from anywhere, even though that action may violate a corporate policy.

Additionally, restrictions on device model and OS version can cause strife for employees who may buy a personal device based on price. If the device they choose falls below the standards that the IT department set, that employee only has a few options: get no work done, upgrade his phone to gain access to the tools he needs, or go around IT blocks.

What should IT admins do?

Today's users are smart, and they will do what they need to so they can get work done, but there are steps you can take to combat employees circumventing IT policies.

Create policies based on employees. Interview users to learn how they work, find out which devices and apps they like and then form policies around that research. When the guidelines for devices, services and applications mirror the way people really work, they won't need to go around restrictions. For example, whitelist a note-taking app that you are comfortable with supporting, rather than blacklisting all note-taking apps. You'll only have to manage one app, and employees can still get work done.

Educate users. You might find that some employees are still new to smartphones and tablets. Education is key for these employees, and it doesn't hurt to refresh the memories of seasoned mobile device users. Make sure workers know how to get the most out their devices, teach them about the risks of exposing company data and explain why your company's policies are in place.

Focus on data, not devices. Although you may need to create specific device guidelines so you can continue to use your EMM tools on all the devices that access your network, it's more important to keep data safe. Operating systems change and update frequently, and it can be difficult to keep up.

Dig Deeper on Enterprise mobility strategy and policy