How secure is your intranet? The IT department has likely has gone to great lengths to protect financial and customer systems and databases but have they applied the same rigor to the intranet or portal?

Intranets and portals have grown exponentially since becoming mainstream in the early 1990s. Some are millions of pages large. However, the intranet has typically taken a backseat as the poor cousin to customer websites.

“Although media and management attention is focused on protecting external-facing sites from security threats, identity theft and other online vulnerabilities, intranets should not be overlooked,” writes Peter McKay, CEO of Watchfire in a recent Federal Times article When securing information, don’t overlook intranet. These sites can easily be compromised, and government IT executives are now realizing the need to expand security and privacy practices to agency intranets.”

If you’re a communicator, HR or marketing person responsible for the intranet then you need to ask the right questions of your IT department. First and foremost is understanding what you have, what is available to a wider audience, and what is specifically being done to secure it.

“Only by understanding the intranet environment — the domains, websites, directories, content, servers, technologies in use, and the policies and standards in place — can agencies ensure that they have adequate control of this information and its delivery,” says McKay. “The first step is to conduct an agency wide (assessment) to evaluate the size and complexity of the intranet. By conducting a thorough assessment agencies can effectively evaluate risks. Managers can then make informed decisions about risk mitigation as well as server and application consolidation.”

Things to look for:

·         Identify systems and servers not up to date or otherwise not conforming to IT standards

·         Orphaned content and rogue intranet sites and servers

·         Applications that work or communicate outside the firewall

McKay recommends several key steps to “effectively manage the compliance risks and costs of managing agency intranets:

• Conduct an inventory of internal Web properties to better understand the Web environment. Knowing how many sites and servers you have, the technologies in use, and the technology policies and standards your agency employs will create a more secure and productive intranet environment.

• Scan your intranet with an automated solution to identify vulnerable areas, including forms that may be inconsistent with internal privacy policies or may lead to information leaks.

• Understand what employee and citizen information is being collected and published on the Internet and intranet. The intranet is used to publish sensitive information, including human resources forms and employee health care information. Full knowledge of all online data-collection methods is critical to effectively managing Web privacy.

• Understand exactly who has access to this sensitive information. Proper technology and security controls will allow employees to see only the information required to do their jobs. Often, contractors are granted access without careful consideration for all the information they may have access to.

• Consider applicable security, privacy and accessibility legislation such as the 2002 Federal Information Security Management Act, the 2002 E-Government Act and the 1998 Rehabilitation Act amendments.

 Did you know that IBM had about 10,000 intranet sites and it has taken years to reduce this to about 6,000 intranet sites?

“Slow and steady wins the race.”  There are dozens of fables about how the underdog or the “little guy” came out ahead in the long run, and these lessons can give you food for thought when approaching your intranet launch and how your organization achieves success afterwards.

It’s not the best idea to break into a sprint as soon as the starting gun goes off.  Providing your departments with access to a robust content management system and some web space without first implementing a site governance model can be akin to handing gunpowder to a baby.  Unfortunately, this is what many organizations do when releasing an intranet, to “just get it out there”.  A little knowledge is a dangerous thing, and before you know it--boom!--you have unmanageable site sprawl.

And you don’t have to be a company the size of IBM to have intranet sprawl. It’s not uncommon for most medium size companies to have hundreds of intranets (I’ve seen ratios of 1 intranet site per 10 employees). Just imagine the wasted money and resources by not pooling those costs together....

Often the most successful intranets start off in a very humble way (especially in smaller organizations), with not much more content than employee classifieds or the company phone list or even a cafeteria lunch menu.

Some organizations grow their intranets organically, with a department or an employee quietly taking charge, perhaps as a pet project, occasionally enhancing it with features that specific departments ask for.  The intranet can sit collecting cobwebs for months before more staff become aware of its presence and usefulness.  Managers begin to ask for more and more additions, until suddenly the site captures the interest and imagination of employees, and the intranet becomes well liked and indispensable. 

These “organic” sites may not be pretty to look at, but tend to iteratively improve over time.  It’s the distribution of easy-wins and low-hanging fruits that allow an intranet to gain “traction” and acceptance and drive more employees to the site.  Growth comes slowly over a long period of time, but the site becomes indispensable in the process.

Planning out your site deployment, placing some structure around how it’s managed, launching tools and content that will engage staff and listening to feedback, will make it the “go to” site when they start their work day. 

And in the end a little preparation, practice, and thought is going to allow you to gain the traction your site needs to make it to the finish line.