Reliable Systems

When a new hire starts with your company, what are you doing to set them up with technology to work with your organization?  You probably focus on making sure you set up their account, clean up a computer for them, and possibly set up a corporate cell phone or Blackberry.  You might also do some quick training with them so they can log in to their computer, get email, and access the Internet.  This is all pretty obvious and fits within normal tickets your IT organization handles every day.

Now step back for a minute and look at it from the employee’s perspective.  When someone needs access to IT resources within your company, there are really three interests you have:

1. Access: People need equipment, software, accounts, and access to IT support.  This is the basic block & tackling that you are handling now.
2. Effective: The tools you provide need to deliver on the business needs the user has.  Whatever’s in the way of that – defective equipment, user training, or suitability to task needs to be addressed.  The best computer with the right software in the hands of a user that doesn’t know how to use them is worthless.
3. Security: Access to your network means access to all of the data and work products within it.  You need people to understand how you approach security, what they are and aren’t allowed to do, and how you’re going to work with them to maintain security.

Setting the Stage

Employees often develop a personal and possessive feeling about the equipment provided to them by a company.  They think of it has their computer, just like they have a computer at home.  This creates a range of problems for your organization by extension:  If it’s their computer then when there’s a problem they’ll want their computer fixed, not a different computer that’s suitable.   They’ll come to regard problems personally, not objectively.

Instead, you want users to look at the equipment they’re provided to do their jobs as just that – tools that enable them to be more effective.  Stepping back into the big picture, a computer isn’t any different than a wrench or a filing cabinet.  It isn’t their computer or phone, it’s the company’s – designed to make them effective at producing whatever the company needs.   When your user community gets this, they’ll self censor their support requirements:  Watching a DVD movie on the company laptop won’t feel support-worthy.

The best time to establish this is to set the right expectations up front:  Have this conversation before the user gets their network account.  The goal is to make sure they understand that:

• You’re committed to their success.  You’re passionate about making sure they’re effective.  You have a support system designed to make sure that their issues get resolved quickly, and you have provisions for support off hours and when they’re on the road.  If they aren’t sure if you can or should help with an item, you want them to engage you anyway – You’ll let them know.
• The technology is there to make them effective at their job. Your job (IT) is to make sure that they are as effective as possible at that.
• They are responsible for their effectiveness. If they need something – training, repair, whatever – it’s their responsibility to get it, and they can get it.
• They are responsible for their user account. Anything anyone does with that account is their responsibility.   That means if someone figures out their password, or they leave their computer unlocked, or otherwise treat their user account with less than the respect it deserves then they are going to be held responsible by the company for that.

Support Your Local Sheriff!

It’s painful to hear on Monday that a user was trying to get something important done and couldn’t due to a simple issue you could have resolved.  Perhaps they knew they could have contacted you for support – but didn’t for whatever reason.  What users will remember is that they had a problem, and it kept them from getting things done.  All of the work you do to support users – special on call staff, phone numbers, email contact, whatever – didn’t work because they never got called upon.

To address this, you want to address as many of the human factors that keep people from calling on support as you can.

1. Make sure you’re always available: The cost of setting up a toll-free number for users to contact support is trivial.  If you don’t already have an on-call rotation, set one up and make sure there’s someone to answer that toll-free number at all times.  The same person can answer an email address designed for support.
2. Make sure they know all the ways: In the past, we’ve published business cards with the 800# for support and email address, and we put these cards everywhere:  In laptop bags, in a card holder at the front desk, anywhere that we could think of so that there’d be one around when a user needed to know how to contact support.
3. Talk to users about it: Be cheery.  Make sure they know that you personally are driven to make sure they’re successful, and you look at it as an honor to help them out after hours.  They need to really get that you want that phone call, because you need to conquer the very human desire not to bother or inconvenience other people.

We really recommend making up a business card that has all of the key information a user needs – the contact information for support, company fax number and main phone number, remote dial in for voice mail, common URLs for external access to email and other services, pretty much anything they need to know on the road.  I’m sure you have it all committed to memory, but if you’re an employee that doesn’t travel every day you probably don’t.  Little steps like this can dramatically affect the general user population’s opinion about IT.

Security Begins at Home

You want to make sure that each user gets how seriously your organization takes security.   People often don’t treat their user account with the same respect they’d treat a physical key or card.  Most users wouldn’t give a stranger the keys to their office or building but would give their password out over the phone to someone who claimed they need it.

People worry a lot about security threats from the Internet, but most break-ins – overwhelmingly – happen from inside.  Most of these are done either through social engineering (where the intruder convinces someone to give them access) or by a disgruntled employee.

To address these common threats, you need to address the key social aspects of security.  In addition to normal sensible security practices,  we recommend establishing a few policies:

1. IT Personnel NEVER ask for passwords: Make it clear to your IT Support organization and every user that no one in IT will ever ask them for their user ID or password.  Therefore, if anyone calls you asking for that information you know one thing – they aren’t authorized to it.  If they give their password to IT, or IT hears that they gave it to someone else, their password will be reset.
2. No one will use their account but them: If IT needs to do something logged in as you, they’ll do it in your presence – after all, you are still accountable for what happens with your account.

The second one may cause some heartburn with your desktop support staff- they’re probably used to solving a range of user problems by accessing the computer as the user, and anything that’ll get in the way of that is a problem.  While it may cause some inconvenience – you aren’t going to be able to do work that requires logging in as the user if they aren’t around – the message this sends to your users about how serious you are about security is essential.  You need to be cleaner about the rules than they are.

What about Non-Employees?

What should you do with contractors or others that need access to your network, even temporarily?  If they are getting a user account, they should go through the same procedure.  You have the same goals:  You want them to be effective and not compromise your environment.

Finally, Ditch the Input Devices

Most computers come with mice and keyboards that are dirt cheap.  If this is what you’re using and you’re recycling a computer, please – get a new mouse and keyboard.  Most computer companies do the same thing when they process returns.  The fact is that keyboards get filthy quickly, and while I may not mind the crumbs from my pop tarts, it certainly isn’t going to create the right impression if I get one that’s full of someone else’s.  You should be able to score new ones for your HP, Dell, or whatever for not more than $40 and really – with what employees cost in salary and other expenses, don’t you want them to know you care?

Have a story about how you support your new users?  Share it in the comments below or drop us a line to tell us about it.

Back in the day, corporate remote access meant modem pools that people dialed into from wherever they were. Even then it was like watching a feature film on your IPod; you got a sense of the action but it was ultimately as much frustrating as useful.

Things change. Over the past eight years broadband in some form has become available in most cities across the nation. This bandwidth has made dedicated remote access a thing of the past. Now you can provide remote access to your employees over your Internet connection. Traditionally, IPSec has been the technology of choice to provide a virtual private networking solution for your employees but over the past two years there’s been a new game in town – SSL VPNs.

if you are using IPSec for your mobile users, you owe it to them and you to check out one of the SSL VPN options at your disposal. We’ve used IPSec VPNs for network to network access reliably, but they’ve always been tough to support for mobile users. Offhand, there isn’t any specific reason this should be true, but it is. For mobile users, we seem to consistently run into a few problems:

• Installation: The success rate for an average user being able to install an IPSec client and get the VPN tunnels to work, even with phone support, was around 15%. Most of the time the user had to bring in the computer or we had to send a tech on site.
• Compatibility: Different physical network technologies – notably DSL – run into performance problems with IPSec in many configurations, requiring adjustments on the client, routers, or other things that you just can’t expect end users to understand.
• Portability: IPSec is very easy to block on a network. In fact, it took some time for most network routers to be compatible with IPSec. Now try to get it to work at 8 PM over a wireless network in a hotel in Buffalo.

In contrast, a few years ago at the urging of Watchguard (our resident firewall vendor) we tried out their SSL VPN product, which was basically a version of the Citrix Access Gateway SSL VPN solution running on a Watchguard hardware appliance. Out of the box it worked – every time, and even faster than IPSec. We had resisted the option because we preferred standards-based solutions, and this sounded like yet another proprietary security technology. We used a demonstration appliance for a month but the feedback from our users was so strong we purchased a unit after a few weeks. Upon reflection, there really is a good bit of sense to why it works so well:

• SSL is Simple, IPSec is complicated: SSL is a single TCP/IP socket with a relatively straightforward, self-configuring, and invisible to intervening appliances.
• SSL is essential, IPSec is a threat: No one can afford to block SSL on their network without basically admitting to not having a network at all. It’s very expensive to proxy by decrypting and re-encrypting, so few companies do it. On the other hand, many networks view with suspicion the goal of establishing an encrypted connection out of their network, so blocking IPSec may sound like a good idea.

With the SSL VPN solution we had about an 85% end-user self install rate without support, and a 100% rate of not requiring a tech to go on site. Even better, the reviews from end users was that it was fast to connect, easy to use, and performance was good. Because it was so easy to get set up, many more users started connecting from home in the evenings or in bad weather to get work done. The net cost? While your firewall probably offers an IPSec client for free, you can expect to pay a few thousand for a dedicated SSL VPN appliance and depending on licensing $50-$200 per concurrent additional user after the first five or so. For a company with say 100 users that might have at most 20 concurrent users the cost is in the order of $4,000 to $6,000.

Making the Business Case

Jumping from “free” to $6,000 may seem questionable until you look at it from the value standpoint: A service that was expensive to setup and of questionable reliability became cheap to set up and rock solid. In other words, this is the real cost to provide this service. An unreliable solution isn’t a business solution. If it’s more than your business is willing to pay, wait a little while – the cost has come down by half in the last two years, and some vendors (like Watchguard in their Fireware Pro product) are offering it alongside their free IPSec VPN option.