Do you know where your broken windows are?

By Laura Haight
Originally published as The Digital Maven column on 7/11/14 in Upstate Business Journal

Has your business got a broken window?

The Broken Windows theory was developed by social scientists James Q. Wilson and George L. Kelling in the early ‘80s. They drew a line connecting disorder and crime. They used the  “broken window” as a symbol of unaccountability. If one window in a building is broken and left unfixed, they argued, it is likely that the rest of the windows will be broken soon, too. In the late '80s, New York City successfully battled back one of the worst crime waves in its history by basing policies and procedures on this theory.

Technology and digital media best practices are replete with examples of broken windows that occur because we either aren’t watching or we tacitly allow small breakdowns, frequent exceptions and, ultimately, abandonment.

Here are three things you probably think you have covered, but compliance may be flagging:

Backups. Of course, you have them. Everybody has them. You’ve probably even got a binder full of completed checklists. But have you ever really checked those backups? If you use an online backup service, have you ever attempted to restore from the backup? I learned this one the hard way: first, that rote procedures often become so ho-hum that even the most conscientious staffers stop monitoring them thoroughly. And second: that the more experience people have the more they take for granted that they know how to do their jobs and they don’t need the checklists that are designed to be a mental reminder of tasks to be done. Instead they do their job and then grab the checklist on the way out and check off all the items, whether they did them or not.

Why does this happen? Because I let my guard down. Busy staff trying to complete a lot of tasks often focus on the high profile things — the things their bosses check. When you stop checking, procedures may fall off. And you’ll never know it until it is a urgent problem and you don’t have the fix you thought you did.

Mobile security. Employees take work home all the time and, if we are honest with ourselves we know it has always been a problem. Files were lost, laptops left in cars were stolen, sensitive data was exposed on unsecured networks. Still we allowed it to continue because it seemed very hard to stop. How can we tell a hard-working staffer who is willing to take work home on the weekend that she can’t do it? Left to their own devices, employees remove data from behind costly corporate firewalls and take it home where the environment — and I’m just guessing here — is far less secure. It’s even more complicated when employees use their own equipment — such as smartphones and tablets to access customer records, spreadsheets and company files remotely.

How can you control this? Mobile Device Management suites enable you to set policies for registered devices including password security rules, remote lock and wipe, encryption at the device and data levels, virtual private network (VPN) management. Yes, you have to have some control of the individual’s device, but that is the price they pay for the flexibility they now have.

User Management: There are many aspects to user management but I’m going to talk about what happens when employees leave. You’ve got policies, but how often do you allow them to lapse for long-time employees who leave on good terms or, sadly, get laid off through no fault of their own? Instead of requiring that their accounts are disabled immediately, we give them some extra time to go through their “personal files” and emails (are they even supposed to have these on their work computer?). Maybe we don’t check to see if the individual has access to — or more scary — ownership of any of our social media sites.

Because we don’t want to insult the employee, we may give them a few extra days to come in the office and go through their things.

By making different rules for different situations, we make all our policies suspect. What is the point of a procedure if it doesn’t apply all the time? Eventually, policies that should be SOP become the subject of discussion with each new termination (“how will we handle this person’s leaving?”). Are you absolutely certain that the last person who left your company doesn’t still have an active account, access to your social media or access to your building?

These are some of the broken windows we need to attend to. Develop policies that are functional, repeatable, sustainable and explainable and stick to them. Follow up on them, inspect what you expect and be rigorous in doing it. If we don’t, what starts out as unsightly can easily become dangerously lax.

Do you know where your broken windows are?