Policies fight festive hangovers

As the festive season fast approaches I'm looking forward to my break from the daily grind, not too much turkey, hopefully a bit more alcohol, and lots of presents.

But before I reach that stage, I'm expecting the usual festive story ideas to arrive. These tend to involve a technology, IT trend or problem that could be enhanced or exacerbated in the build up to Christmas.

One such notion from past years is your friendly festive email greeting, with a virus attached free of charge. These infected messages rely on recipients' naivety to spread them across the internet. But I challenge any email user to resist opening their delightful all-dancing, all-singing Frosty the Snowman screensaver.

With all the warnings about infected messages comes advice for organisations to step up their antivirus measures. A key part of this protection will involve educating staff about the dangers, as well as establishing policies for email use that spell out the potential risks of opening attachments or web links in messages or of forwarding unsolicited messages.

But the importance of user education and policies is not restricted to antivirus measures. The launch of any new technology tends to be swiftly followed by warnings about the dangers if firms fail to develop a usage policy before deployment.

The experts say policy development should begin with a lengthy discussion and consultation period involving the key stakeholders - perhaps including IT, HR, and finance staff, board members, end-users and so on. Once this group has agreed how the technology should be used, it devises a suitably hefty and authoritative document detailing good practices and forbidden activities. This document should then be distributed in some format to all employees.

But how realistic is this? The rollout of technology often encounters pitfalls. Running over-budget or over-time; having to adapt the project for a change in business strategy halfway through; or losing a key supplier or team member are all things that a project team may face during the project lifecycle. I imagine at the end of this process, many firms would simply want to congratulate themselves on getting the project finished - rather than worry about the legal or security risks the new stuff could bring.

But fortunately, most firms seem to understand the value of getting some form of policy in place. And those that take the time to devise a thorough policy will likely want their staff to understand the guidance. Training sessions, corporate intranets and policy management solutions - which require users to agree to abide by the rules and any amendments before they are allowed to use particular applications - can all be used to educate staff.

If firms do not follow up the policy creation stage by educating their staff about good practices, they could miss out on many benefits.

The existence of a policy signed by employees may cover companies from a legal standpoint in many situations, but staff who are properly trained are likely to reduce management headaches - by doing some of the work of the often overburdened IT department. Perhaps by reducing the amount of spam or the risk of viruses, for example.