Can you trust your IT company?

A few years ago, when the East Belfast Partnership was setting up Espresso East, a social enterprise espresso bar, we brought in a consultant to advise us on the finer points of the coffee business.

One of his questions for us sticks with me to this day. ‘How will you know how much your staff are stealing from you?’ he asked. Not if, note, but how much.

In the retail trade, it is widely assumed that some staff members will be dishonest and there are security measures (like CCTV cameras trained on the till) and procedures (like carefully monitored end of day cash reconciliation) designed to mitigate the effects of this.

Over the years I have seen a similar diligence in third sector organisations in the way they use IT systems to guard against the potential vices of their staff: everything from user-based security permissions on folders so junior staff can’t find out what salaries managers are earning, to the blocking of social networking and other time-sapping websites, measures deployed with varying degrees of purpose and effectiveness.

But in this rush to use IT to control staff behaviour, the integrity of those implementing the systems is rarely questioned, despite the fact that as computer systems become ever more pervasive, the amount of information access and power at the fingertips of IT workers is increasing dramatically.

In many organisations it is not uncommon to find that the most important and sensitive company data is restricted to a few senior managers – and to whatever staff members happen to look after the network server.

In this article, I want to ask you, ‘Can you actually trust the people looking after your IT?’ Or coming directly back to the retail trade analogy, ‘How do you know what information your IT support people are stealing from you?’

It’s a question all too infrequently posed. IT staff are employed or support is outsourced mainly the basis of value, capacity and experience, and ethics rarely enter into the equation.

Yet an IT industry survey once revealed that a third of IT staff admitted using their administrator passwords to snoop through company systems and peek at confidential information such as salary data.

In another poll of more than 16,000 IT professionals, 62% said they had accessed another person’s computer without permission and 50% read confidential or sensitive information without a legitimate reason. In addition, 42% said they had knowingly violated a company’s privacy, security or IT policies.

And these weren’t just junior IT staff. The average experience level was more than eight years, and about 32% of respondents were at or above the manager level. Over four-fifths worked at companies with more than 5,000 full-time employees.

Of course, there’s nothing shocking in these (probably understated) statistics for anyone with a passing familiarity with human nature, but what is surprising is how we seem to give technology and technologists a ‘bye’ on moral questions.

The truth is that principles and values matter as much in IT as in the social and community spheres in which most charitable organisations operate. Indeed, the day-to-day world of IT is filled with ethical challenges and thorny moral dilemmas, and given the pace of change in technology and the rate at which tricky new questions are being raised, it’s all the more important to put ethics back on the table for frank discussion.

There’s no magic solution to ensure that the people with whom you entrust the keys to your valuable and sensitive data are inherently trustworthy, but making it an issue is an essential part of the process.

Make sure you know where your IT staff or support company stand on important issues such as those concerning privacy, security, personal property and copyright, and protection of the environment. The next time your organisation tenders for an IT-related project, ask for a statement of values alongside capability and cost, and don’t be afraid to get genuine character references not just a list of previous experience.

So much of the good work of charities and social enterprises is driven by people with deeply-held values: we shouldn’t compromise this work by ransoming our critical information systems to people who don’t share these same principles.