Executive Summary
There are many internet issues that face every business organization. In today’s business environment, an organization cannot be too careful when it comes to its dealings with the internet, because one misstep could cost a company millions of dollars in lost revenue, a security breach, or a copyright infringement lawsuit, just to name a few of the potential consequences. Therefore, it would behoove any organization to address these internet concerns sooner rather than later. In particular, there are four major “categories” of internet concerns which should be considered:
- Access, the Digital Divide, and Special Populations
- Copyright
- Accuracy and Validity of Information
- Privacy and Security
After careful research and consideration of the hundreds of sub-issues that make up each of these major categories, I have put together this policy brief which details how this organization might best address the major issues it faces in each of these areas. Specifically, there are many issues within each of these areas that could be addressed, but after research and consideration I have identified four major internet issues that need to be addressed immediately. For each issue I have provided an overview of the issue, a rationale detailing why this issue is important to this organization right now, and have evaluated the “top two” potential policy solutions to the problem. Each solution has been evaluated to determine its feasibility, cost, and implementation impact, so you can be assured that the recommendations given here are reasonable, effective, and financially sound. The burden of choosing which of the two solutions ultimately works best is up to the executive board members.
Access, the Digital Divide, & Special Populations
In today’s business environment, having Access to digital information entails having BOTH the physical access to digital technologies– i.e. having the hardware (computer equipment and internet connection) and software (computer programs ) to navigate the internet, and the skills access to utilize the internet to find digital information (source: Wikipedia, October 2009). According to 2009 reports, nearly 74% of Americans go online, which means that the vast majority of Americans have physical access to digital technology (source: World Internet Usage Statistics News and Population Stats; June 30, 2009). In a 2001 study of internet use at work, it was found that among government workers, 67.2% used a computer on the job and 52.5% used the Internet (source: Computer and Internet Use at Work in 2001; October 23, 2002). Extrapolating that data by the rate at which internet use in America has grown since 2002, we can estimate that approximately 92.1% of government workers today use a computer on the job and approximately 78.3% use the Internet. Thus, it is apparent that government workers have physical access to digital information. But, do they have the skills access to find and make use of today's digital learning technologies?
With so many Web 2.0 training options out there today which help achieve learning goals more efficiently and effectively than traditional teaching methods (source: WikiBooks, October 2009), it makes sense that our government clients are turning increasingly towards utilizing these new digital technologies to train their workers and disseminate Best Practices. However, with over 65% of government employees over the age of 45, it is often difficult for workers to gain the skills necessary to access and utilize this digital information. Thus, what could be a potentially huge money and time saving training tool for government workers, cannot be utilized on a wide scale until workers overcome this skills access barrier.
There are several options for overcoming this issue of digital skills access, the first of which would be to have the government invest in training courses for their employees to learn about Web 2.0 technologies. Studies have shown that increasing internet skills increases internet self-efficacy, which involves such items as confidence learning new skills using the internet, willingness to turn to an online discussion group when help is needed, and using the internet to gather data (source: Internet Self-Efficacy and the Psychology of the Digital Divide, September 2000). With internet skills training across the board, government workers could become more effective, more efficient, and any future policy training could become very simple and cost-effective to design and implement. The downside to doing internet skills training across the board is that it will be an initial investment upfront in the cost of the internet skills training, and a blanket training for all employees might not be the most effective way to address the skills gap that exists disproportionately across ages, races, and socioeconomic status.
The second option for overcoming the issue of digital skills access amongst government employees might be to require all government employees to take an initial Computer Skills Assessment to determine their current level of digital skill, and then to prescribe additional training according to the results of this test. Unlike the first option, this is not a simple blanket training for all employees, but instead would only train those workers who are lacking in certain skills (thus saving both the time and the cost of sending ALL employees to skills training). However, this option might potentially be perceived as unfair, as it may disproportionately single out the older, disabled, disadvantaged, or ethnic minority workers for the training classes (source: The Next Digital Divides, 2001). While these training classes may be essential life-learning skills that these groups may not have the opportunity to receive elsewhere, it could be contentious to address this issue in the workplace.
Copyright
In the consulting world, the issue of copyright ownership is often vaguely defined. If an individual consultant creates a product for a consulting firm, who owns the rights to the work? If a consulting firm does work for a corporate client or the government, who owns the rights to the work? The answers to these questions are found in copyright law (aka “intellectual property” law), a previously esoteric branch of legal expertise which has recently been pushed to the forefront in this new age of internet media sharing. Many sets of copyright guidelines have been produced to try and educate the public about copyright law and how it may apply to them, but sadly most of us remain largely ignorant of these (source: Copyright and the University Community; November 2004). Because the financial ramifications for violating copyright law can be up to $100,000 and the business consequences even higher (lost profits, branding, etc) (source: Copyright Law and Fair Use: Why Ignorance is Not Bliss; April 1998), it would behoove any business, particularly one such as a consulting firm that often deals with producing for-profit products based on the works of others, to write, adopt, and educate their employees about the organization’s copyright policy.
Because we’re dealing with a dual problem –the issue of first writing a copyright policy, and then the issue of training employees on that policy- this brief will focus only on the first of the two issues at hand. When writing a copyright policy, there are several important items to include (source: Drafting a Copyright Ownership Policy; April 2002):
- Defines the "work-for-hire" standard.
- Provides a formal mechanism for establishing the extent to which the institution's (the company's) resources were used to create the work.
- Based on the above, the policy provides a clear definition of who owns the teaching works created, and/or clearly defines any shared ownership arrangement.
- Provides a clear method of dispute resolution.
- Provides a clear arrangement of any "shop rights" that will be granted to either the institution (the company) or the faculty (employee).
- Provides a method of training faculty (employees) on the components of this policy so everyone is "on the same page."
There are several options for how to go about writing such a copyright policy, the first of which would be to allow management to write a copyright policy for the organization, which would function in conjunction with the legal team. The positive aspects of adopting this strategy include the fact that having a legal advisor as a constant gatekeeper and final-say on copyright issues is certainly the safest way to go, and would virtually assure the organization would never be in violation of any copyright law. However, the negative aspects to aligning the company’s policy this way are that it is incredibly time-consuming and costly, and may not be necessary to always consult a legal source (source: Copyright Law and Fair Use: Why Ignorance is Not Bliss; April 1998).
The second option for how to go about writing a copyright policy would be to engage a group of “concerned” parties (those who might be affected by the policy) and collectively write a policy based on the numerous guidelines that are out there on the web today. The positive aspects to writing the policy this way include a buy-in from the copyright policy stakeholders, the fact that it’s cheaper and less time-consuming not to have to consult a lawyer for each and every copyright question, and the fact that “using [guidelines] as a benchmark is evidence of an "honest belief" that a given use is "fair use" (source: Copyright Law and Fair Use: Why Ignorance is Not Bliss; April 1998) which in itself assures your employees' aherence to copyright law. The negative aspects to drafting a policy this way include the fact that the guidelines in themselves are nebulous and are, in fact, only “guidelines” that are not admissible or defensible in a court of law. In order to draft the policy as a group, a great suggestion would be to begin with a known and accepted set of standard copyright guidelines, and allow your group to collectively edit them and modify them towards your organization using a wiki. This would assure full participation and buy-in, and would allow you to track changes and get legal input all at the same time.
Accuracy & Validity of Information
With the preponderance of information available on the web today, the question of accuracy and validity of that information is increasingly becoming an issue. Not only is it an issue that individuals have to deal with, as in instances of lawsuits over individual web postings, controlling the information that’s out there about you as an individual, etc, but increasingly this is also an issue that corporations and the government has to deal with when doing research using the web. “The most important thing to remember about information found on a web site is that anyone with a little money, time, and technical know-how can put a site on the Web. The reliability of that information can be open to question. ALWAYS evaluate anything you find on the Web very carefully” (source: Evaluating Web Sites Information Skills Module; 2001).
Back in grade-school, anytime a student wrote a report they were required to cite where they got their facts, but the validity of the facts themselves were never questioned because the vast majority of print materials were thoroughly validated before they were ever printed. That was the burden of the publisher, and the user of those facts had simply the duty of attribution. Now, this burden is reversed: with millions of individuals “publishing” content on the internet every minute of every day, it becomes the duty of the user of the facts to check the accuracy and validity of those facts.
So, since the clear burden of responsibility for fact-checking falls on the user of internet information, how will you know if what you find comes from someone who really knows what they're talking about? Thankfully, this is not as hard as it may seem. “In general, you should determine the author, his/her expertise, and the reputation of the individual and the company/association/university/ organization” (source: Evaluating Web Sites Information Skills Module; 2001). As additional guidelines, the following questions from the textbook "Planning Effective Instruction" by Walter Dick and Robert Reiser, are useful to ask yourself when considering the accuracy and validity of internet content:
- Is the content accurate? Is the information factually stated?
- Is the content up-to-date? Is the copyright date within the last five years?
- Is the content comprehensive? Is the content congruent with district/state curriculum guidelines
- Are social values treated fairly? Are ethnic groups, males, and females shown in non-stereotyped roles through words and pictures?
Now that we’ve established that there are some pretty standard questions for checking internet content, how should organizations deal with operationalizing this duty? Many organizations have developed standard posting guidelines (source: Evaluating Information on the Internet; 2009), which could be tailored to each professional context. Additionally, there are some pretty standard ways to check the date and the “updates” to the content, such as using Bookmarklets. Within this organization, there are several options to consider when writing a policy for how to ensure the accuracy and validity of information. The first option that could be considered would be to have a Knowledge Manager who is well trained in information accuracy and validity checking, review all content before it “goes out the door” for public and/or client consumption. The positive aspects of this strategy would be that the company would achieve consistency and reliability in ensuring that all documents are fact-checked and “blessed” before they go out and represent the company at large. The negative aspects of this strategy is that it severely limits the creativity and the capacity of individual producers (ID’s, project managers, etc) within the organization to design and push forth their own content. It could create an information bottle-neck within the organization, which would be detrimental both to project timelines and to budgets.
The second option that could be considered within my organization would be to train each employee about how to ensure accuracy and validity of internet information when using it in research, training, or presentations. This could be accomplished most cost-effectively by designing a training course on how to determine the accuracy and validity of information, such as the Evaluating Web Sites Information Skills Module from Virginia Tech University. The positive aspects of this strategy would be that it would eliminate the information bottleneck of the first option, and would allow individual producers in the organization to evaluate and proceed with their own work. However, on the negative side, this eliminates the consistency and reliability of having one skilled practitioner evaluate everyone’s work, and the company risks something going out under their name that might not be from a completely accurate or valid source.
Privacy & Security
With identity theft, computer hacking, and spy- and spam-ware all at an all-time high (source: The State of Information Assurance Education 2009, October 2009), there has never been a more important time to protect your organization against privacy and security threats. These threats are often perceived to be external threats, such as malicious hackers and spammers, but what most companies don’t realize is that the security threats can be internal, as well.
Let’s first explore external threats to security. Most individuals and companies think that they’re protected because they have purchased some commercial virus software, only to find that most hackers and spammers are far more sophisticated than the average virus protection software. In my company alone, we spend thousands of dollars a year on virus and hacker protections, only to find that just last year we experienced a major external security breach which shut down our website server for days. This had detrimental effects for both us and the client, which creates both a reputation and a financial impact that can have severe and long-term detrimental effects on both current and future business.
Okay, so simply buying commercial protection software won’t protect a company from all external security threats. But, it should at least protect against internal threats, right? Well, not really. Consider this: “Your information security program is only as strong as your weakest link. In the case of many businesses, including financial institutions, that weakest link is your customer or your employee” (source: CyberSecurity Awareness – Rules of the Virtual Road, October 2009). It’s like a homeowner spending thousands of dollars on the most sophisticated home security system, only to have a burglar rob them because they accidentally left the front door open.
So, if the “normal” safeguards clearly won’t suffice, what DOES a company need to do to be considered “protected” against both internal and external privacy and security threats? “To secure a workplace from any potential internet threats or unauthorized use, an organization has to adopt proper internet security policies, utilize best available security tools, and practice strict monitoring measures. With proper planning, technical expertise, and continuous efforts, an organization can restrict most of the threats related to Internet Security” (Tony Lavignino, EDTEC 448 “Surfers” Discussion Board, November 2009).
There are two initial ways to go about accomplishing such internet security. The first would be to implement a standard internet security policy within the organization. This might include items such as:
- All computers have the latest spamware and virus protection software, updated regularly, if not daily;
- All computers are encrypted and/or have a firewall installed;
- All computer operating systems are kept up to date with the latest patches;
- All computers have their internet browser settings set to erase browsing history and passwords immediately, and not to store cookies;
- All users are required to change their username/password every 30-days (ensuring you can never use same combination again) along with web authentication;
- All users must lock their computer desktop with a passkey when they leave their workstation for any reason;
- All users are required to secure all personal belongings in a locked cabinet, and will not leave personal identification information (passwords, etc) out on desks.
(source: EDTEC 448 “Surfers” Discussion Board, November 2009)
(source: CyberSecurity Awareness – Rules of the Virtual Road, October 2009)
The positive impacts of adopting such a policy would be a uniform office approach to internet security, such that any security breaches would be easily identified and stopped. The negative impacts of adopting such a policy would be that employees would feel that they are in “lockdown” and might not freely innovate with new internet products as needed for company business advancement.
The second way to go about accomplishing internet security in an organization, which should realistically be coupled together with the first, is to implement annual training of employees on internet security issues and the common-sense precautions they need to take. A quick tutorial could be designed to fit the company’s needs, or the company could harness and use one of these great ready-made products (source: Carnegie Mellon University’s National Cyber Security Awareness, October 2009):
- Anti-Phishing Phil is an interactive game that teaches users how to identify phishing URLs, where to look for cues in web browsers, and how to use search engines to find legitimate sites.
- Identity Finder software searches your computer to locate and secure potentially dangerous personal identity data that is stored on your computer in places that you might not be able to find, but hackers will.
- MERIT Interactive training simulator developed by CERT (which they call MERIT InterActive, or MERITIA) immerses users in a realistic business setting from which they make decisions regarding how to prevent, detect, and respond to insider actions and see the impacts of their decisions in terms of key performance metrics. MERITIA will help managers, information technology, and human resources better understand insider threat risks and the effects of decisions on the promotion or mitigation of that risk.
- MySecureCyberspace is the network security portal that gives you security solutions for the way you use the Internet. It gives you a customized profile of your security needs, and tells you what to look out for and how to protect yourself.
In many companies that do such trainings, a negative implication is that the employees often complain that the trainings are useless, or that they don’t pay attention anyway. A great way to overcome this is to use case studies of real-life security stories, and allow employees to collaborate to investigate what went wrong and how to fix it. However, the positive impacts of doing such trainings may far outweigh the negative implications, because the trainings are cheap and easy to implement, and they address the number-one security threat to your organization: You.
Final Recommendations
There are many internet issues out there facing organizations today, the largest four of which are: Access, the Digital Divide, & Special Populations; Copyright; Accuracy & Validity of Information; and Privacy & Security. After carefully researching the many issues that each of these categories entail, I have narrowed down the four biggest issues facing this organization, and have provided both rationale and two recommendations for each.
In the area of overcoming the disparity of digital skills access amongst government employees, the first recommendation is to have the government invest in training courses for their employees to learn about Web 2.0 technologies. The second recommendation is to require all government employees to take an initial Computer Skills Assessment to determine their current level of digital skill, and then to prescribe additional training according to the results of this test. Either of these solutions, whether implemented separately or in tandem, would help to promote widespread uniformity in the level of digital skills access amongst government employees, which is necessary to help the government save both time and money in pushing out both training and policy to its workers.
In the area of copyright, it is clear that an agreed-upon copyright policy is necessary to implement immediately to avoid any of the potential negative consequences of violating copyright law. In order to write such a policy, we could either engage the management team and the legal team to simply write a copyright policy for the organization, which everyone would have to follow. Or, we could engage a group of “concerned” parties (those who might be affected by the policy) and collectively write (perhaps using a wiki) a policy based on the numerous guidelines that are out there on the web today. While each option has clear benefits, the second recommendation would be the best to implement based on the pros and cons discussed.
In the area of accuracy and validity of internet information, it is clear that an agreed-upon information-checking policy is needed in order to avoid any of the potential negative consequences of being caught in the public promulgating invalid information. The two best solutions to this problem would be to have a Knowledge Manager who is well trained in information accuracy and validity checking review all content before it “goes out the door” for public and/or client consumption, or to train each employee about how to ensure accuracy and validity of internet information when using it in research, training, or presentations. The second option is more time-effective and more cost-effective (it could be accomplished very simply using an existing site such as the Evaluating Web Sites Information Skills Module from Virginia Tech University), and is thus recommended most highly out of the two.
In the area of privacy & security, both internal and external, the detriments to not implementing any policy are fairly obvious: loss of valuable information, vulnerability to hackers, loss of clients, loss of revenue, etc. In order to combat these threats, a potential solution would be to implement a standard internet security policy within the organization. This might include standard items as have been detailed above, which are proven methods to combating internal and external internet security threats. Or, the company might choose to implement annual training of employees on internet security issues and the common-sense precautions they need to take. A quick tutorial could be designed to fit the company’s needs, or the company could harness and use one of the listed ready-made products available for free or for a nominal price. Ideally, these two recommendations should be coupled together for the best response to internet privacy and security threats facing the organization.
All of these solutions have been both researched and weighted carefully, and all are actionable solutions to the four largest internet issues facing this organization. Implementing any of these solutions would be immediately beneficial to this organization.
