Perils of Corporate Websites
Most corporations ignored the internet for about the first 10 years and even when they did enter the web they may not have known they had.
I used to hear this from my family a lot, “I don’t want to work at a corporation. It will kill my soul.” For most who have worked for a large corporation you know it is silly. Corporate types know souls are very hard to kill, the most you can do is drain off enough energy to power the auto-flush toilets.
Sure we have things most small companies don’t, like benefits, career progression, education reimbursement, bonuses, the occasional scandal and that soul draining thing. You also get things like hanging your star on a household brand and a budget on occasion. Yes there are days you feel like the smallest cog in the biggest machine, there are also days that you wouldn’t trade for anything.
At the heart it’s a culture and like any culture there are good and bad. Corporations don’t lean nearly as conservative as most people would have you believe. That said, from the outside they would appear to be the most conservative places there are. The problem is once a company gets to a certain size, it simply can’t turn on a dime. It takes either a huge effort or time to move a company. For good or bad they tend to wait and see what happens. They are conservative in the way a boulder is conservative.
It’s hard to believe so much time has passed, but what we consider the modern internet has been around for about 20 years, granted our web now is vastly evolved. The first couple of years had so few websites going live each day that you could look at everything that came out while you had your coffee. Most corporations ignored the internet for about the first 10 years and even when they did enter the web they may not have known they had.
In the early days, the IT staff would have complete control over the website. The site would be the part time responsibility of one person. They would register the URL simply to prevent a squatter. There was a time that McDonalds.com, Cocacola.com and Coleman.com weren’t owned by those companies. Those were owned by a family, an enthusiast and a summer camp.
Web conversations with sales or marketing generally ended with a manager saying, “Why would a
One day someone higher up in the company, who was more tech savvy than their coworkers, would hit the website. They would see that the corporate website didn’t come from marketing, the design looks like a system admin made it in an afternoon with cobbled together graphics. Which of course is exactly what happened. Suddenly the site isn’t ignored anymore. A senior management meeting would have everyone running around in a panic trying to show they are supporting the new “web effort”. Everyone wanted a better site, but no one wanted to pay for it. Overnight managing the website became a full time job and a part of the corporate culture without a budget. If you were really lucky, only a quarter of senior management would be openly hostile to the “internet fad”. Forget about getting help from marketing or the graphic artists. If they were cajoled into helping with the artwork, you’d get a design that is laid out for print with no concept of interactivity. When you wonder why old sites look like crap it was simple, graphic artists wouldn’t work on them. As recently as 2009 I have received web designs from graphic artists that were called out in inches with 2 point type. Might as well have been laid out in fathoms.
Eventually the websites slid out of IT and into the marketing department which lead to websites that didn’t cause as much early vision loss but did lead to terms like “Saturnic navigation”. Today we are seeing the web people moving into their very own department, independent of IT or Marketing.
On those first sites you wrote everything from scratch and enjoyed a fair degree of job security. You could make a comfortable living now if you wanted to support old Cold Fusion sites. However I could also earn a living making llama cheese, neither appeal to me.
Now we have a variety of tools that mean we can build a site without ever writing code. Content management systems, wikis, blogs and document management platforms all replace that old code nicely. The best part is that it forces a structure onto the information that automatically makes the site easier to manage.
Choice of the Platform
Choice of the Platform
The choice of the platform for the corporate site varies. When asked whether WordPress or Joomla or Wiki, I often say, all of the above. I’m sure some will make the argument that you only need one, and that just isn’t always the case. I argue that instead of tacking on a couple dozen extensions onto WordPress so it can be a Wiki, use a Wiki. For pretty much the same reason I don’t use a spreadsheet to write articles.
There is a corporate resistance to use anything “open source”. Personally, I rarely talk about the platform when pitching the site. For one very good reason, Google. What will happen is you will talk up the platform to someone that 10 minutes ago didn’t care about it. After you walk out of the room the first thing that happens is that “Wordpress” is plugged into Google and you are sunk. All the results are telling that customer that you are pitching a free product, that they can get this “hosting” thing for next to nothing. You are now labeled as using an amateur product. If you are an outside vendor they see it as overcharging or worse you are at the mercy of your competitor who tells horror stories about your platform and provide a couple of choice search terms. I’m sure there are some shaking their fists in a rage, but as the guy on the other side of the table I have seen many designers lose because they forgot who they were pitching to. Your platform matters to them almost as little as what brand of hammer was used to build their house. Unless that hammer was handed down by Thor himself it is insignificant.
Corporate sites often need to be a hodge-podge of various functions. The main ones are:
- Direct-to-consumer sales
- New products
- Spare parts & accessories
- Career postings
- Corporate governance
- Investor relations
- Public relations
Every department will feel they are the most important to the visitor. Design follows function and majority rules, so obviously you need to determine who the site is for. Often on corporate sites the plan is to build for who you want on the site, not who is there. I feel that is a mistake as you are alienating the people that are there for a mythical person who may never show. A balance between long and short term goals needs to be found. However those long term goals are often dead on arrival due to shifting priorities, the balance should always be skewed to the short term goals. Many a PR site was born only to become a post-operative ecommerce site.
Corporate sites have different rules from most sites. In some instances, they may be prevented from doing something by their vendor agreements or simply because it is something the legal department can’t defend in court, “Yes that baby bathing in the cooler is a cute picture but I will terminate you in an elaborate and degrading ceremony if you put it online!” In other instances it can be actual laws that have you coloring inside the lines.
Sarbox. Several readers shuddered at just reading that, but not as hard as they used to. For web people the Sarbanes-Oxley act basically requires you to pass an external audit if the site touches financial information. I’m being vague because you need to get compliance information from official sources. Luckily most of the covered information is now hosted off-site and someone else is paid to make sure you are compliant.
SEC rules are another place where you should lean on outside vendors for keeping you compliant. Investor relations are documents and statements that need to be publically available, as in a 10K statement. Often you are pointing to information on Edgar Online, but the problem is information posted to the site. The quickest path to trouble is a posting that could be construed as insider information. Jumping on Twitter to pump your fist over a huge contract win could get a call from the SEC.
Have you ever had to deal with the US State Department? If you ever work for a company that imports and exports certain defense related goods you will find yourself under ITAR or EAR. International Traffic in Arms Reduction and Export Administration Regulations. On a website most of your concern is information control. Awareness of what items are under ITAR is your first line of defense. The information related to those items is strictly controlled. A support document that perhaps just describes how to change a battery in a remote control will still be controlled information. My advice is to remove yourself from the decision of whether something goes online or not and build a relationship with your compliance officer. They will always be the final authority. One of the requirements is that your ITAR info stay on servers in the USA. Sounds simple, until the UK division makes a pitch to move the web servers there. Or the Japanese division wants a complete copy of the current site to start work on a native language version. The one that nearly got me was moving our files to an Akamai server. Sounds simple to let them do the heavy lifting. The problem was that their servers replicate your data to all their data centers which are all over the world. The few ITAR documents we had online would have gone right over the wall.
If you take public funds, you most likely will need to be ADA compliant, also known as 508 compliance. Every few years a hoax circulates that says all websites will required to meet compliance and warns of massive fines for companies that don’t meet compliance. Because of that web managers are conditioned to ignore ADA. ADA compliance isn’t nearly as difficult as people think and usually having good SEO practices will get you most of the way there with image labeling and easier navigation. The assumption is that non-profits and government agencies are the only ones that need to be compliant. Yet there are several states that offer food programs for kids in daycare. If the companies on-site daycare participates in one of those programs you could find yourself required to comply. We did work for FEMA at one location and were not required, however if we had built a site just for FEMA to use that would have been ADA compliant.
There are more rules but the dangers are where you earn your paycheck. Straight up you will have the same script-kiddies every site faces. If you have a recognized brand, you can multiply the attacks by 10. People trying to deface your site are bad enough, the ones going for a prize will be more persistent. For those sites that handle credit cards, you have PCI compliance. The idea is to make your site as unattractive to break-ins as possible, this is mainly accomplished by removing any reason to gain access to your system. For most the reasons are the customer credit card numbers. In a fully compliant system, you never store the number. You encrypt the number and ask another system to verify the card and amount being charged and immediately discard everything but the reply. Naturally there are exceptions, Amazon for one will store your info or the one-step checkout wouldn’t work. The problem at a lot of large corporations is that there are still mainframes and other systems that handle the internal data. They have systems in place that process credit cards in batches. At those locations the data is verified, captured, sent to the larger system and usually deleted. From a bookkeeping standpoint the online orders must enter the system the same way as any other order.
One step above your garden variety hacker are the state-sponsored variety. It sounds weird to know that some of us have had to fight off large scale attacks from groups that were sanctioned by their government. I’ve traced sophisticated attacks back to Chinese coal mining towns with the population of NFL practice squads, only to see the attack stop the instant I traced where it came from. Movies depict these events with 100% accuracy. Except there is more cursing and we are far better looking. Of course the best defenses are usually keeping your server patches up to date, yet that can introduce issues.
Every large IT department has the same horror story. A patch came out and was immediately applied to the systems. Shortly afterwards the support phone starts ringing non-stop. A patch blew up something. Whether it was that old database that now shows all 800,000+ records needed for the Sarbox audit are gone, or the server that doesn’t understand what a network is anymore; it all amounts to the same thing. A new policy that delays applying patches until an adult signs off on them. My personal policy is no new code on Fridays.
Corporate policies can tie your hands and yes there are times when the policy is ignored. I’ve seen policies that required every email going in or out be reviewed by IT. Sounds crazy, but if you are covered by government security clearances you learn to live with crazy.
Employees still fall for scams and still will be the weakest link. That uncle asking about the best way to move money from Nigerian royalty is the same guy yelling at someone who signed for a pallet of copier toner from a scammer. I myself had to fight to prevent about $30,000 in goods from leaving a warehouse. The orders looked weird and came in at a weird time. 3 days of fighting ended with a credit card company calling us in a panic to reverse their demands that the shipments be made. I had a great manager who trusted my instincts, everyone came out ahead. Except for the guys running the scam who got some time to consider life choices.
In fairness to the people trying to ship the goods, they were doing their job and everything was giving them a green light. Helpful employees can still be a problem. Whether someone creating the companies Facebook and Twitter accounts or registering the domain of a new venture before IT could get it, helps isn’t always welcome. However I can never gripe too loud. After all I wouldn’t be doing this unless I was the helpful employee that snagged a URL before people even knew they wanted it.
A corporate gig isn’t all bad. They experiences are not the same as a small shop and aren’t for everyone. A good corporation will not only nurture you but give you experiences you simply can’t get anywhere else. Plus that place where they tap into your soul eventually heals or so I’ve been told. At least it stops itching in the sunlight.