Education

This is the story of a $200 t-shirt … and company systems gone terribly wrong. Earlier this year, an employee wanted to send a shirt with our logo to a customer as a gift. There was nothing special about this particular shirt. It was an ordinary, 100%-cotton crew neck. But by the time this employee got approval — factoring in his own time and everyone else’s up the org chart who had to weigh in to validate the request — the cost of this t-shirt had ballooned to $200 … if not more.

Systems and processes serve an important role in any organization. This is something I’ve realized as my company, a social media management platform, has scaled from a few dozen to nearly 1,000 employees. With that many moving parts, you can’t operate efficiently without a playbook. Systems ensure that projects get done, quality is maintained and there are no surprises.

But it’s important to distinguish between good systems and bad systems. Good systems make things easier. Bad systems do exactly the opposite. They make everyone’s lives harder. The problem is that bad systems often end up in a kind of corporate Bermuda Triangle — no one really monitors them; worse, one is empowered to change them when the need arises.

That’s how we ended up with our t-shirt snafu earlier this year. In our early days, we decided managers needed to approve requests for company swag: the cost of all those t-shirts and plush toys adds up, after all. But as we grew, this blanket policy became more cumbersome. In the case of the $200 t-shirt, our senior director of technology, Noel, had to spend several days chasing down his manager — our CTO — to get a rubber stamp on a request for a $15 gift.

Finding our Czar of Bad Systems

Fortunately, Noel wouldn’t let the issue die. He spent a day or two chasing down the right people in finance and marketing. In the end, he persuaded them to ditch formal approvals in favor of trusting that everyone would use their own discretion when ordering, like grownups. Worst-case scenario — a few extra Hootsuite t-shirts find their way into the world.

This example might sound trivial … until you start to do the math. In a company of 1,000 people, we’re talking about hundreds of employee hours saved over a year’s time — just on ordering swag. Once I realized that, the gears started turning. How much time and money was being tied up in other bad and broken processes — simple stuff that was eminently fixable, but that no one was looking into?

And so the Czar of Bad Systems role was born. It’s not an official position for us (yet). Noel has been generous enough to volunteer for the first tour of duty, on top of his day job. But our employees now have a go-to person who can take an objective look at processes that have outlived their usefulness. If people have a problem they can’t fix, even with help from their manager, they reach out to the Czar. In the past, these processes would have fallen through the cracks: cursed at but ultimately complied with. Now, there’s hope that they might actually be corrected.

In the few months since we’ve anointed our Czar, other faulty processes have been zapped, in departments as diverse as finance, customer support and marketing. In the past, for example, our creative team — the brilliant people behind our graphic designs — regularly found itself swamped. Requests from other departments were submitted without clear requirements; urgent projects stalled in a backlog of older briefs. Noel got the stakeholders to sit down and agree to the idea of a dedicated resource manager: someone who could prioritize projects and help our internal team function like a mini creative agency.

Making it work at your company

Hootsuite isn’t necessarily a pioneer in its zeal for eradicating bad systems. Ecommerce giant Shopify actually has an official Director of Getting Sh*t Done (which inspired the title of this article), with a team under him, tasked with similar efforts. Ombudsmen are a familiar sight in large companies, encharged with resolving internal issues. And businesses have long turned to strategic consulting firms to help them identify inefficiencies and streamline operations.

But I’d argue that this isn’t just something for big companies and shouldn’t necessarily be left to outside experts. We’re in our early stages with this initiative. But I think we already have some clear takeaways that anyone can apply, regardless of size.

First and foremost, bad processes won’t fix themselves. Often, they lurk in a kind of power vacuum. Frontline employees aren’t empowered to change them. Leadership overlooks the issue or assumes it’s someone else’s problem. Precisely for that reason, it’s key to put someone in charge. This doesn’t have to be an official or full-time role, but employees need to know there’s a go-to person.

Like any good czar, this individual needs to have the skill — and authority — to work across teams and departments: to transcend processes in order to correct them. (An engineering mindset doesn’t hurt here, either.) Doing this right, almost as a rule, involves getting stakeholders to actually sit down together. A little shared input and a little buy-in goes a long way.

Social media can be a powerful way to surface broken systems in the first place. On Facebook, for example, we’ve started an internal Bad Systems @ Hootsuite group to log issues. Noel generally follows up with an in-person visit, to observe and ask questions. Interestingly, most bad processes seem to boil down to a few common failings: needless complexity, unanticipated bottlenecks or irrational fear of worst-case scenarios.

Not all problems can be solved, of course, and it’s important to know which systems are worth going after. We’d love to find a better way to do expense reports — a chore that, even with the latest apps, ties up thousands of employee hours a quarter — but the silver bullet is elusive. Generally, we triage efforts based on a rudimentary points system: the number of people impacted by a bad process is weighed against the estimated time needed to fix it. But it’s not really an exact science. Ultimately, trying something — even if it only leads to marginal improvement — is better than the status quo.

Am I a little concerned that this new role might eat up bigger chunks of Noel’s time? Well, maybe. Up until now, requests haven’t exactly poured in: a sign that we’ve either got great systems in place or (more likely) that we need to get better at IDing the broken ones. But even if we eventually do have to hire a dedicated Czar of Bad Systems, I don’t think that’s a bad thing — quite the contrary, in fact.

After all, the problem with bad processes is that they institutionalize inefficiency: they ensure that things will be done the wrong way, over and over and over again. For that reason alone, it’s worth investing the time and resources to ferret them out.

These days, most people are quite familiar with the old fashioned type of spam email, and most modern email filters do a reasonable job of keeping those types of spam out of your inbox. However, a more serious threat still impacts unaware users in the form of email spoofing. Fraudulent emails can “spoof” a legitimate email from a legitimate source to trick the recipient into downloading viral attachments or divulging personal information to a criminal source. Some spoofed emails can be quite sophisticated and difficult to detect.

Don’t Blindly Trust “From” Addresses
It is easy to alter an email message to make it appear to originate from a legitimate email address of a legitimate company, when in fact it originated from a spammer. A “From” address naming a company you recognize does not necessarily mean the email is safe. Combined with spammers using logos and images within the body of the email to make it appear official, it can be difficult to distinguish between a real email and a spoofed one.

Only Open Attachments from Trusted Senders
One reason these spoofed emails are distributed is to trick users into downloading attachments that purportedly contain important documents like forms or statements but are actually viruses or malware. Only open attachments when you’re confident about the source. Also be aware of suspicious file types – EXEs are actually programs, not documents, and it’s unusual for a form to be in this format.

Avoid Links in Emails
Another goal of these fraudulent emails is directing users to fraudulent websites that can be as sophisticated as the email itself. These websites will often ask for confirmation of usernames, passwords, or personal information that actually feeds into a database used for fraud or identity theft. Links can be altered to point to a different address than they appear to be for, so it’s better to manually navigate to a website so you know exactly where you’re going.

Confirm with the Ostensible Sender
Finally, if you receive an email from a company that you’re familiar with and do business with regularly, but are distrustful of its authenticity, it’s always a good idea to contact customer service for the company it’s supposedly from. Use contact information that you have on file or have collected from the company’s website versus information found within the suspicious email. The company can usually confirm the authenticity of the email, or help you submit it for investigation if it’s found to be fraudulent.

Password Policy Best Practice

• Passwords should be at least 8 characters long, and contain a combination of upper-case letters, lower-case letters, numbers, and symbols
• Passwords should not contain common words or phrases
• Passwords should be changed frequently, around every 90 days

Hacking attempts are a constant concern for business security. A common threat is the gathering of credentials for a business’s email server. With these credentials, miscreants can utilize the email server as a launch pad for sending spam messages. This can cause the mail server to be blacklisted by various organizations, preventing your legitimate emails from being delivered to their recipients.

A simple way to prevent this type of attack is to practice secure password policy. A number of factors go into choosing and maintaining a secure password:

Length and Complexity
Passwords are typically hacked using “brute-force” techniques that try random combinations until finding one that works. The longer and more complex your password is, the more difficult it is for hackers to ascertain it. Passwords should be at least 8 characters in length, and they should contain characters from at least three of the four groups: upper-case letters, lower-case letters, numbers, and symbols.

Randomness
Passwords containing common words are the easiest to hack as the pattern of letters narrows the possibilities. It’s best to avoid using common words or names for passwords for highest security. To ensure a good combination of security and memorability, you can substitute some letters in a word for similar numbers or symbols. For example, use @ppl3 instead of apple or ta!! to replace tall.

Replacement
Even the strongest password is only effective for so long. It is important to continue to change your password on a regular basis to make sure a compromised password doesn’t stick around. It is recommended to change your password at least every 90 days for good security.