Slashdot Mirror
IT Departments Are A Security Risk
stlhawkeye writes "An article at Information Week asks the question - is your IT department a security risk? The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess. 'That confidence,' says the article,'leads workers to do risky, even stupid, things at work, such as opening questionable e-mail messages or clicking on unknown Web site links.' Employee education and training doesn't help, either: '[S]ome workers slough off responsibility for even knowing about threats. Workers in larger companies don't worry about being educated. Big company employees just don't see security as their responsibility.'"
I read the summary as if IT Department itself is a security risk, because they have the highest level of access to everything on the network, and one wee mistake, such as failure to lock an unattended admin pc, inappropriate disposal of a backup tape, a misconfigured spam filter and whatnot can easily knock out the company for at least a few hours or cause great harms.
Having said that, it's also true that computer users protected by a competent IT Department do get spoiled and when they're out with a laptop, they can easily be infected on a dial-up. It's like kids with over-protective parents will likely to get hurt/scammed/killed more easily when they're alone.
This naturally leads to the most important discussion in the article, i.e. user education. And I believe in order to really get the message through, IT Department needs to have some sort of security drill (like fire drill, annoying but everybody gets the idea after several attempts).
For example, if a user clicked on an obvious suspicious link (spoofed by yours truly IT Department of course), his computer will be taken away for "maintenance" for a week, and he'll be assigned to another area of the office with a crappy machine. This way, not only does he suffer from his action, others will know why he is working at the "Concentration Cubicle".
Rock that crushes, Paper & Scissors that don't matter.
This is the same reasoning we used to use in high school when we'd drop our wrappers on the floor, spill soda and walk away...they get paid to clean it up, we're doing them a FAVOR by ensuring their job security.
It was not rare in the past, that the IT guys themselves were the thread to the company.
;)
Quite often they served the company's bandwith for warez exchange, as we all know...
My Blog: "sum it up - News, emotions and science"
The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess.
I see... just as the Fire Department is a fire risk, hospitals increase reckless activity, having a police force causes crime, etc.
How brilliant the author of this article must be to draw such an unusual conclusion!
1. Get rid of IT department
2. Let company infrastructure rot
3. Rehire IT department
Sounds like a management decision to me.
The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess.
This is assuming, of course, that the IT department is very lax on their users. Besides the fact that the users should be locked down to the point where irresponsible computing isn't as much of an issue, IT shouldn't be just allowing this behaviour to continue. Mindlessly cleaning things up without trying to change them is the problem, not having the department.
If you get punched in the face every time you drop a cigarrette butt on the ground, you're going to stop dropping them. The same principle should apply here. Punish the user for bad behavior, and they'll eventually stop.
Why Home users get into so much trouble. I don't think it's because they feel they can ignore security due to the existance of an IT department to clean up their mess, I feel it's because they try to think of this technology like any other technology, a blackbox that you push a few buttons and turn a few dials, something that is completely harmless.
Our company has consequences for stupid user action, up to and including employment termination, so uers are "motivated" to learn the dangers that might confront them and how to avoid them.
As someone who became the default sysAdmin for our group I would constantly fix many reccuring problems caused by the users. It got so bad that for a few members of the group I took their win notebooks and gave them macs under the guise that the fix "was going to take a while". They would whine a bit that they couldnt run their softwhere (mostly games) but it would give me a chance to do some real work.
I have secretly hidden some mispelled words in this post. Can you find them?
I can't count how many times each DAY that I hear and/or see someone in IT doing something they would scream at a "user" for doing.
It is plain and simple arrogance. From trash talking users to mocking auditors I see it all. Best yet is all the work done to keep users from doing something bad is amazingly and commoningly thwarted on the machines of the same IT staff.
In charge of security administation, most likely to bend the rules too.
Yeah there are good IT departments and I am not say where I work doesn't have a good one. Parts are very good but it isn't hard to find rules bent somewhere at any one time. If not for someone whose title begins with a "C" then its for someone in favor.
It doesn't help when you have so many different system types that you cannot find a single auditing company capable of covering them all. Of course it doesn't help when you don't take advantage of the opportunity SOX did provide and instead keep business as usual, just documented.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Any time a groups gets into the role of over-functioning for another, the other group starts to under-function. This isn't limited to IT and corporations. It would explain, among other things, why the poorest and most dependent folks in NO, were not more proactive with their own future in that disaster, instead waiting on the Government and charities to over-function for them. That choice was much more risky for them than just getting out of town earlier like many others decided to do on their own.
------ Michael A. Romig
Uh, is this article serious? Do employees throw their trash all over because there's a janitorial staff to clean it up? Does it mean that companies don't need anyone to clean up?
I doubt it.
Have fun: Join D.N.A. (National Dyslexics Association)
NT
I'm definitely motivated to stay out of trouble in order to keep them the hell out of my computer...
What I'm listening to now on Pandora...
leads workers to do risky, even stupid, things at work, such as opening questionable e-mail messages or clicking on unknown Web site links
WHat about using software that will not load viruses over HTTP?
mutt instead of Outlook, Opera instead of Firefox should do the job.
dirka dirka mohammad jihad. We have everything but Americans working at our place and most leave back to China and India soon after learning our entire system..... Problem?... Solution?...
In other news the local officials said that a local fire station has become a fire hazard, because people just behave irresponsibly and let their stove on when going to work or candles burning while they go sleep, since they know the firemen will just put the fire off anyway. A new study was commisioned to study whether police departments are not secretly inducing crime.
If programs would be read like poetry, most programmers would be Vogons.
But I think someone just need to point out that STUPID people are a security risk everywhere they are present.
Don't take life so seriously. No one makes it out alive.
from TFA:
"One in three (34 percent) of U.S. users and more than one in four of those in Germany (29 percent) and Japan (28 percent) admitted they clicked on suspicious links or opened iffy e-mail because the computer equipment wasn't theirs."
Now I have to figure out which 4 out of the 12 guys on my mobile force need their laptop replaced with an etch-a-sketch. Time to send out some ebay spoof emails and see who responds...
I try not to laugh in death's face. I tend to make belittling comments and snicker behind death's back.
If nothing else were to discourage me from doing dumb stuff, having our helpdesk staff around would.
They can't come near a machine without screwing it up. Everyone I know who's let them near their machine lost at least a day's work; they can turn changing an outlook setting into requiring a complete HD wipe and OS reinstall.
Luckily some of us have convinced them to just leave us alone and let us do most work ourselves; at most we ask them for a ghosted drive to start from.
what horseshit
After almost a decade in IT, I can tell you why there is this expectation. When it comes to fuckups, IT is usually the last guy to get the hot potato, and they're expected to save the day.
Any time a user screws up, the IT department is EXPECTED to save the day by upper management. If they don't, it is (rarely) the fault of the employee, it's the fault of the IT department for not anticipating such a need, or not being available at a second's notice, or simply not being able to save someone else's bacon. Often times we're asked to perform miracles.
It sounds reasonable, until you cross professions. Someone drives off the company driveway, crashes their car into a tree, car bursts into flames. Do the facilities people get in trouble for not ancticipating the employee who leaned over to pick up his cell phone off the floor while driving, and failed to install a nice big inflatable barrier along all the roads? Of course not. Yet IT departments are expected to back up everything known to man, expected to resurrect deleted+overwritten files...
Another example- it's 4:55pm and Fedex comes at 5 to pick up a package that is going to The Big Client. The employee has procrastinated working on it, and goes to print at 4:57. There's something wrong with the printer or their system. Guess whose emergency it becomes? Guess who gets screamed at on the telephone? Guess who gets reamed by the CEO because the package didn't go out? Usually the IT department. "Why was the printer broken? Why couldn't you fix it?"....not, "Bob, why did you wait until 5 minutes before your deadline?"
Please help metamoderate.
Complete bull ****.
:-)
If there was no IT department, how the hell would the company run? Buy support from outside companies? I think not, since on average (at least here) support companys charge about $95 a hour and 90% of the techs the send out don't know jack. I have lost count how many times i have had to fix stuff "again" after they leave, simply because they are too lazy to figure out the whole problem, or they don't know how to run/admin/whatever our systems. Since we created our IT department spending has been reduced alot, service and security both have gone up. Also the amount of down time our employee's suffer has droped dramatically.
Then again, i live/work in a fairly small city, so our local support companies don't have much to choose from for employee's since most people that know what they are talking about ether work for a company in the IT department, or move their ass to a better place
-Pizentios
The IT department is clearly a security risk, let me explain. The IT folks have the ability to hit all the dangerous smut portals (without getting logged) and are thus are more likely to download the root kits that are often served up at some of the shadier bukkake portals (I wouldn't know...wink, wink) and thus infect the corporate lan. Management knows taking bigger risks could lead to bigger rewards. So, that's why they keep those smut-hungry IT workers around.
What the article doesn't point out is the obvious tradeoff. By having an IT department to manage risk, companies enjoy lower risk but the risk profile changes. IT departments will routinely reghost machines with unauthorized software and that, arguably, is a strong benefit. Once users lose enough data from having not backed up their machine prior to it being reghosted, they learn to backup their data more frequently or not install unauthorized software (assuming they have the administrative rights to install that software in the first place.)
What that means, generally, is that problems from unauthorized software will be minimized and other problems will be magnified in comparison. I note that the author of that article didn't offer a solution to this perceived problem.
Perhaps a deeper problem is that IT security represents, to the company, what an economist would refer to as a "public good." Your department will enjoy the protection of powerful firewalls, anti-virus protection and locked down machines even if the costs are not applied directly to your department's budget. As a result, I've frequently seen business departments argue against increased funding for IT security in the mistaken belief that the potentially negative impact on their budget will hurt them. They somehow believe that if they do not pay for the security directly, the IT department will magically find other solutions for those problems.
Only increased employee education about the dangers inherent in their actions seems to be a viable method of reducing this problem.
What color is the sky on your planet?
I won't rehash the reasons why Linux isn't ready for the desktop.
Migrating to an all Apple strategy would hurt the bottom line as the hw is more expensive and there are a limited amount of biz apps that run on them, necessitataing the need for a big virtulization project on top of the new hw.
Yes, Windows has a whole heap of shortcomings and everybody loves to hate it. For the corporate world's desktops, its the only game in town.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
"It's like kids with over-protective parents will likely to get hurt/scammed/killed more easily when they're alone."
Homer: Guys, believe me, I didn't mean to get you expelled.
Nerd 3: Oh, don't worry, Mr. Simpson, we can take care of ourselves.
Snake appears, holding out his hand]
Snake: Uh, wallet inspector.
Nerd 1: Oh, here ya go. [All three give him their wallets] I believe
that's all in order.
Snake: Huh ho! I can't _believe_ that worked.
Homer: [realization dawning] Heyy...that's not the wallet inspector!
http://www.snpp.com/episodes/1F02.html
To be honest, being a sysadmin, users haven't a clue at work or home anyway, so I think that they feel 'safer' at work due to extra security measures is a dangerous false presumption.
I expect the real reason is that doing it at work doesn't bugger up THEIR computer at home, and as it is at work, it is then not their problem (cue feet up on desk reading newspaper 'sorry, my computer is not working, I am waiting on IT _again!!_).
No matter how many times you tell them, the same resultant behaviour remains.
Look up the O'Really Tee shirt ~ Clue to lusers.
Education and consequences.
Nobody takes security seriously because regular staff thinks that the IT guys are there to clean up the messes when they occur. What they don't understand is that the IT department is not there to be a janitor or babysitter. The IT department is there to provide the information infrastructure to enable the company and to ensure the company's information security. That doesn't necessarily include end users.
My personal philosophy is that end-users should be punished severely for security breaches. Sure the IT department will fix the problem, but the person who clicked on the link (or opened the email) needs to pay a price for their behaviour, otherwise they will continue to do it. Nearly every company has an IT AUP. Nearly every company says that you can be disciplined, including termination of employement, for violating the policy. Yet I have never worked at a company where day-to-day infractions (even those with security risks associated with them) were punished. Sure, every once in awhile someone gets fired for surfing porn, or when their misuse of the system affects their ability to work (goofing off online for hours), but who gets fired for forwarding chain letters with flash animations in them? Nobody.
This absolutely has to change. If you had a receptionist who let random strangers in to wander the halls of your building she would be disciplined and probably sacked. If you have a receptionist who forwards chain letters, clicks on suspicious links, downloads spyware and causes virus infections, the odds are nothing will happen to her.
Company officers think Information Security means securing the company with a firewall and looking out for hack attempts. They still don't take Information Security seriously, and until they do the rank-and-file won't either.
Education alone is not going to do it. Education that is reinforced with consequences will.
How can one possibly surf the web without clicking on unknown Web site links.?
I know it says don't complain about story rejects, but still whats up with this 2005-09-13 21:22:21 Risky Corporate computer use (IT,Security) (rejected) hmm sounds familiar.
exactly why im trying so hard to get out of IT. I've been in IT coming up on 20 years. Who wants to be the scape goat and take the blame all the time? Do the executives think I'm a toady? I realized awhile ago that I am a paid bitch and that is never going to change the way management trends are going.
Besides now that computers are as normal as a phone they are a tool that we innovator types can use to take things to the next level. The internet has opened the door to so many new professional and the permutations of combining those professional with the technology and sharing of vastly new ideas.
Abandon computers, it isnt where the action is anymore and unless youre a toady or masochist, have a little respect for yourself. Go into a profession again where people respect you and what you do.
http://www.livejournal.com/users/cixel
I worked as a contractor to a large soft drink company some years back, and their corporate culture made it hard to fire most employees. However, they took improper computer / network use seriously and included it in their corporate code of conduct. Violating the CoC was about the only way you as an employee there could get fired, and they followed it. They even had security walk an upper management person out the door the day his little escapades took down a large segment of the network in his building.
Thus, as far as I have seen, it is all about not only having a good IT department, but having good company policies and proper enforcement to support it.
-SS "Teach the ignorant, care for the dumb, and punish the stupid."
. As someone who supports several large companies networks, I've seen both kinds. Some companies just don't care. They think that network problems due to careless, idiot users is just par for the course. They will just continue to pay to have you constantly fix problems that wouldn't be problems if they fired a person or two for screwing things up. Then you have companies that set limits from the get go. The network crew isn't there to pick up after them. In fact they are there to tell the boss who's causing the problems. After a few people get smacked around by the boss, you'd be surprised at how quickly clueless users become caring, semi-responsible users. The only downside is that they call a lot more often asking ridiculous questions. But I guess it's better than the alternative.
Drivers might drive somewhat more recklessly because they have seatbelts and airbags, but the solution to that isn't to get rid of these safety features.
As an IT worker, the message to bring home from this study is only this: employees will assume that you'll pick up the pieces for them. You need to either plan to do that, or dissuade them of their assumption.
And you can dissuade them. Saying, "don't do X, it reduces company security" will be met with yawns. But say "doing X is a terminable offense and people have been fired for doing it" gets people's attention.
Thanks for protecting my job.
Science is but a perversion of itself unless it has as its ultimate goal the betterment of humanity. -Nikola Telsa
Big companies should include IT issues as a KPI, to encourage staff against relying too much on the IT department to fix their stupidity. Of course, this could just drive people away from using the department at all for fear of getting a bad performance review and thus drive down productivity.
At first I was going to post a comment that maybe workers are to busy to worry about security so they leave it to IT to fix problems, but I thought about it and came to the conclusion if somone really is too busy then they won't have time for SPAM type email or for surfing.
So, I thought about it some more and came to the conclusion that it may simply be because of laziness. I work in a group of 12 programmers, 6 of which are either naturally tech savy or keep up with tech. These people have no issues with viruses and stuff like that. The others, the programmers who have been programming the same programming language, in the same industry, in the same one or two programs for 10+ years(granted there are some programmers with 10+ experiance and are not like this but most of them are) haven't read a technical book or done anything but the absolute bare mininum to get by for years and years. If 50% of programmers who SHOULD know better are too lazy to know exactly what they are doing when they are at a computer, what hope do IT departments have with people who think that there job is strictly whatever (accounting, being a doctor, being a pharmacist, etc) and the computers are for IT/Geeks. Too many people do not take pride in everything they do. They are content with being good enough. They are Lazy.
The problem is that the behavioral culture at work is exactly the same as it is everywhere else. People can't stand hardship, complexity, accountability, or even just the discomfort that comes from having to think for a moment. It shows up in how they drive, how they bank, how they prepare for bad weather, how they marry, how they study for exams, and how they surf. And to the extent that the largess of our economy allows for it to keep happening, it just keeps happening.
The crazy thing is that most of the reasons I've seen for stupid-IT-end-users getting the axe (the ultimate behavior modification) have nothing to do with their poor security-related behavior, but rather for the things they've done that might offend someone. You know:
"Well, of course we'll reset your cracked password again. But when you get back to the field office, be sure to tell Bob that he's probably going to lose his job over that whole Carmen Electra desktop wallpaper thing."
Don't disappoint your bird dog. Go to the range.
You are a lot more likely to roller-blade, sun-bathe, and bang skanky hos if you know there are doctors around who will set your broken bones, slice off your melanomas, and give you penicillin.
Why won't those doctors think of the children before they take dedicate their lives to medicine?
On the serious side, with access to everything typed in or emailed in trustworthy competant people who are more worried about everything running well than personal gain with some sort of check or balance should be the default.
Aren't the users security risks?
"why don't you just slip into something more comfortable...like a coma!"
Hey, did you know that AOL will be bought by Microsoft? Yup you heard it here first.
-1, Offtopic - yea yea
Big company employees just don't see security as their responsibility.'
Put in place a penalty system in combination with correct education on computing for the employees. Those who still do not want to listen have to feel it in their pockets. That might change their mind. Plus, if given correct education along the way it will most likely make them more responsible at home as well.
Of course, it should be done basically the same way in any company in the same field -- Otherwise employees can "just" switch jobs and avoid it.
Proud owner of BOT2K3 [ bot2k3.net ]
This is the same kind of logic that people use to claim air bags don't make people safer. The argument is that people will drive more dangerously if they know they have an airbag to save them.
The problem of course in both these cases is that no one is adding up the benefit of both protection schemes. Of course if you don't also look at the added security that an IT department provides, and only look at potential problems it's going to look like "IT departments are a security risk". Shame on Information Week (and mostly Slashdot for the dumb headline) for making this dishonest claim.
AccountKiller
War isn't about who's right. It's about who's left.
why don't you develop some proactive way of making sure it's working? People expect their computing environment to be utility-grade. Failures of the environment should be about as common as power failures. Most IT environments fall far short of the utility-grade mark.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
AC says: "My personal philosophy is that end-users should be punished severely for security breaches. "
I have found, working in various IT departments, that if your users know they will get whacked for having caught a virus, they will never report the virus until it is hurting them worse than IT will. In that case, the virus has spread through other machines and the mess is bigger to clean up.
IT guys are a multi-thread to the company...
We play the game with the bravery of being out of range
I think the problem isnt complacentcy, it is lack of education -- no one asks the janitor "what is the trash can for?" but all the time the IT guys feild questions at that level of stupidity...and worse -- THEY ACCEPTT IT!!!
These tired ownership society attitudes assume actions result from a lack of vested interest while discounting the training issues.
Other postings in this topic lament being on the receiving end of the blame game. Get used to life because there are many situations where others will shift responsibility to high-horse IT employees who, like most others, are not immune to accusations. A little dialog can go far in diffusing the following situation:
[BOSS] John couldn't get that package out to big client yesterday. Why was the printer down?
[IT] Equipment sometimes fails and we put in 110% to keep things running.
[BOSS] Yeah, we lost a million-dollar contract due to your incompetence.
[IT] I suppose it would be fair to ask why Marketing waited until 4:55 to make their print out?
[BOSS] Because they were putting in 14-hour days for the past week. The printer needs to be working during times of crisis.
[IT] If it was so critical, we would have posted someone to continually monitor the printer had Marketing given us the heads up of their deadline.
If you have an unreasonable boss, run fast. These blame throwing tirades are just that.
signature pending slashdot approval
Not only are IT Departments a serious security risk for both the reasons that they give a false sense of security to the end user and that a simple mistake on thier side can have grave consequences. They are also mostly around in an attempt at securing thier own jobs.
It seems to me that 90% of all desktop maintenance could be performed by an informed end user. Instead IT locks down everyones computers and forces the end user to submit a request for help to do the most simple mundane things. These inlcude things like oh I don't know, installing the latest version of Java, Defraging your own hard drive, or changing the power management settings on your laptop. This is so demeaning to the end user that most give up and go with the flow. That is they see education in computers as useless since they can just pick up the phone and ask IT. So the very tactic that IT uses to secure thier jobs ensures that most end users are totally computer illiterate and therefore creates a serious security problem.
Any IT Dept that adamantly refuses to incorporate, or even switch to, an alternate OS for purely selfish reasons is certainly a problem.
When upper management asks for recommendations and the same old, tired, arguments for sticking with a Windows Only environment are trotted out by the MCSE's in the basement, then IT is doing the company a disservice.
Bah! You're being ridiculous. The single largest factor in determining which platform a company should use for any given purpose is "what platform does our desired application run on." If the market leading product for your particular purpose only runs on Windows, you're going to run Windows. If your application runs on Linux, you'll run Linux. This is the single biggest hole in the vision of certain OSS zealots (and I do prefer OSS software, just not necessarily Linux 100% of the time).
Here's a perfect example. I was involved with a startup about 2 years ago that was going to be a specialty surgical hospital. This was to be a small (less than 50 bed) hospital that focused on a very narrow branch of specialty medicene. The IT department varied from 3-5 staff members over time, including a director. For this hospital we needed the following systems:
Lab information system
Radiology information system
PACS system
Transcription system
Registration system
Patient accounting system
Clinical documentation system
Clinical ordering system
Medical record system
CPT coding system
Surgery scheduling system
Surgery documentation system
Nurse call system
Security and surveillance system
Numerous database and instrument interface systems
Email system
File and print sharing
Intranet site
Directory services
General office systems
Decision support systems
Database analysis systems
Computerized faxing system
And so on...
Newsflash! This hospital's IT infrastructure could only have been built on a Windows platform. Now I won't say that Windows is the only OS that has all of these sorts of applications available (especially since two of those systems run on AIX servers, though with Windows clients). But if there are OSS, Linux, or Debian versions of these applications they certainly are not best of breed, and they absolutely do not have the support of a large company that is a leader in the healthcare software field. And with a IT department of 5 people or less, they were hardly in a position to "roll their own."
That's probably a more eloquent response than a troll post like yours deserves, but I think that it's important that people realize that it's not the "bunch of MCSEs in the basement" that drives purchase decisions for large companies.
...is to make them pay. think about it. if the worker crashes a machine because he hit the wrong buttons or he crashed a car because he was overslept, he will likely be fined or fired by his company. same should be done with IT-equipment; calcuate the working hours the IT-guys have to invest for undoing his/her stupidity and make him/her pay for it. last time you saw this person whining for help ;P
I have to say, I've been in more than a few IT departments that use their position and their management's ignorance to host everything from game servers to MP3 servers. Ordinary users can't even think of attempting these activities. It's great to be in IT!!! :D
Yes, Windows has a whole heap of shortcomings and everybody loves to hate it. For the corporate world's desktops, its the only game in town.
Who said anything about desktops? Linux works great on the server side. Also, since you brought it up, sure Apple hardware costs more, but it also lasts longer and works better (albeit slower). Maybe it works just fine for some companies - there's no excuse for recommending Windows only out of inertia.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
what about the man-bites-dog scenerio where the techs should know better?
What about the IT department that leaves your server's admin password on a piece of paper beside your server? About the busy support that tells the user the data on their boot-unrecoverable desktop is "gone, just gone. Here, let me get things started by reformatting for you!" Couple things I've seen. And a couple things that made me an enemy of that IT department when I pointed them out (and stepped between the tech and the reformat to do the PC data restore for the department in that case).
"Do the facilities people get in trouble for not ancticipating the employee who leaned over to pick up his cell phone off the floor while driving, and failed to install a nice big inflatable barrier along all the roads? Of course not." ...and yet poor road design is one of the greatest contributory factors to road deaths (alongside pubs serving drivers drink).
"Migrating to an all Apple strategy would hurt the bottom line as the hw is more expensive and there are a limited amount of biz apps that run on them"
Tell this to the video production department that that has to use Premier instead of Final Cut because IT doesn't "support" Mac's.
Or better still, the thousands of real estate agents who have to use a PC running IE to add new listings to the MLS because Safari, and even IE, on a Mac isn't supported.
The second time you screw up your boss gets a real bill from IT services, taken out of his budget.
The first time he gets a bill but doesn't have to pay it. He shows it to you. Assuming you were trained on what not to do, that should be enough to scare you into compliance.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The article is about users feeling emboldened to download risky stuff because the computer isn't their property and IT will fix it. Most users I know don't have servers, but instead have desktops.
The increased cost of Apple hw is small in comparison to the cost of making biz apps run on the Apple hw.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Considering how easy it is to set up a web content filter and how few corporate IT departments bother to do that - I tend to agree with the headline that IT departments are security risks.
If a user can click on something in a browser or email client and cause a security issue, then the problem is incompetence in the IT department.
Oh well, what the hell...
What about filtering viruses over SMTP and HTTP. It is not black magic. If the IT dept doesn't filter everything, then they are either lazy, stupid or incompetent - pick any three...
Oh well, what the hell...
Come on now ... just because there's some sort of protection doesn't mean the protected person is more likely to take risks.
Now, the concept so many have posted about regarding the IT staff themselves being the greatest risk is entirely plausible, if not likely. Power and a feeling of being above the rules is far more dangerous combination than simply knowing someone's there to clean up the mess you make.
True. I can't tell you how many times clueless Valleys have cut me off when I'm about to drop in. I feel no compuction in slicing their boards.
*ducks*
Read the EFF's Fair Use FAQ
Ok, rank-and-file employee. We've put aside $X.
If you screw up your box so bad that you can't fix it yourself, we call in the big boys and deduct their charges from that account.
Whatever is left at the end of the year, you get to keep.
If you deplete the whole account before the year is up, you're fired.
gewg_
...because this is the same behavior that people will exhibit if there is a security guard working the desk downstairs. Anyone who makes it into the building has free reign to wander around and steal stuff if they have the right expression on thier face.
"Your superior intellect is no match for our puny weapons!"
It is like saying that having a QA department lowers your quality. Sometimes true. Sometimes not.
Avoid Missing Ball for High Score
I read the first paragraph - almost immediatly, I remembered a job offer:
- System Administrator (network)
- $7.25/hour. (That's right - below mimimum wage.)
- Located in Navan (which is hard to reach by bus - taxing a car is an option, but only minimally.)
The systems were alreahy infested with malware that generate popups. This is also a computer consulting company. (I'd love to name them, but was never given the name of the company.) This single example proves that hhe lack of IT department or equivalent thereof is no less secure.
Besides, with an IT department (not counting pseudo-departments by nome only), there is actually an ability to learn from mistakes of users, ane refining policy and training to make sure that inappropriate computer use is known by the employees to be inappropriate (and detectable.)
On your arrogance comment. I was on the IT side of things for around 8 years in 4 different places (including a university) where I was, or was a part of the IT department. We all did things that we would have reimaged a user's computer for. On a daily basis. With one of my co-workers at the univ., I legitimately reimaged (it had died from misuse) more times than any user. wow. Now I'm IT Audit at a big 4 firm... and I see that the IT departments I worked at were actually good. I hear a lot of the arrogance of which you speak. Not to brag or anything, but even the newbies over here are incredibly intelligent and, generally speaking, know more than the senior vps, cios, it directors, etc combined. I think the arrogance is a defense mechanism in most cases for having, in ascending order: a) a crappy job i) crappy mgmt ii) crappy IT security policies b) crappy attitude c) lack of knowledge that's my $.02 But most IT people are better, now that I deal with almost exclusively Fortune 500 people. Which, should be the opposite if arrogance is a result of actual knowledge or success as many people think. btw, I think all the big-4 have enough expertise and experience to audit all your systems, but I may be wrong. ---- my username has a long history, don't asque
A gas oven, a steam iron and an automobile all have a very limited set of possible operations. Even the most versatile of these machines, the automobile, can be operated with a small set of phisical operations and the knowledge of a simple ruleset (the side of the road you're supposed to be on, the meaning of traffic lights, etc). If you were right, misusing any of them would be very rare, obviously not the case with automobiles (the one with most degrees of freedom).
Computers, on the other hand, are almost limitless machines - change the software you completely changed the way the computer works. There are so many possibilities and so many degrees of freedom that most people won't be capable even to contemplate them all, much less control them.
~~~
The article is about users feeling emboldened to download risky stuff because the computer isn't their property and IT will fix it. Most users I know don't have servers, but instead have desktops.
The GP wasn't addressing Linux on thr desktop, and the idea of it is sufficiently odd that people still refer to it specifically when they're talking about it.
The point about bizapps stands unless the company moves its apps to intranet servers, which is happening a fair bit. An Imac + webapp makes for a fairly nice, secure setup.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
I run my LAN like Simon Travaglia's BOfH does.
- Lock my machine and the server room doors when I leave for ANY reason
- Only use Firefox
- Mac OS X machine for work, fully-patched locked-down XP machine for admin stuff
- Realtime antivirus on the Windows machine, plus HijackThis and Ad-Aware
- Total and complete control of EVERYTHING on the LAN - if I don't personally approve it, it doesn't go on
- VNC is on all my user machines (I told them it was for remote repairs. Let them believe it - I like watching J. Random Luser downloading things with lots of flesh tones)
- If a user misbehaves, I lock their accounts until they've come to me and apologized in some suitable manner
Just know your LAN, know your role, and beat the shit out of the users who don't cooperate.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
I won't rehash the reasons why Linux isn't ready for the desktop.
It depends on the business.
I used to work for an ISP that utilised XTerminals w/4M Ram for all departments, including customer service. The apps ran on FreeBSD.
It was a DE of: fvwm (although I ended up moving to olvwm), exmh and Netscape.
Sure it wasn't the prettiest thing in the world and it's not appropriate under all conditions but for the role we had it doing it was fine. No-one complained: they could do their work.
One of the great things was these machines had no hard drive. That alone reduced maintenance costs significantly and when a machine crashed you could reboot with almost reckless abandon.
The XTerminals with centralised server setup is a great demonstration of the elegance and manageability of X and Unix. Having all client data and applications on one server that can be scanned for viruses, backed up, etc. is wonderful. Being able to roll out (or roll back) new versions of applications to all clients by changing one symlink is powerful.
I know you can do similar things with Citrix but I only really hear horror stories about that product and it costs more than most businesses can afford. MS Terminal Services is pretty good but it still feels like an add-on product/hack like VNC rather than a network-transparent desktop environment.
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
Whatever happened to personal responsibility?
Well, at the end of the day, it's not. It's your responsibility as the IT person. Giving users privileges to do thise stupid things is the problem. Don't do it.
Workers shouldn't be expected to be security experts any more than the IT person should know how to do everyone else's job.
Both sides of this debate are correct. Simply having protection does not create the behaviour you are trying to protect against. BUT, users will get lazy and complacent the more they are coddled. The lazier and more complacent they become the louder they whine and complain. Management looks at the situation and decides IT needs to do more with le$$. It's a downward spiral from there.
We can't rely on acceptable use policies with no teeth. And we can't expect C-level executives to make the rules and enforce them. At the risk of being flamed into oblivion let me say, IT needs to grow a pair and lay down the law.
We need to take a long hard look at the business and figure out what THEIR pain is if the users screw up. You can talk about spyware and anti-virus until you're blue in the face and most non-techies will just glaze over. But, when you tell a sales exec that a "million dollar proposal" could be delayed by several hours because his numb-nut sales reps are infested with spam-bots, ears perk up - FAST.
As painful as it may be, we have to think outside the tech realm. We have to understand what the business thinks is important and play off that. Once you start putting dollar values on consequences - in terms the business can understand - funding and policies with teeth are right around the corner. Or, we can sit and whine like users.
Before anyone says I must be management or an MBA weener let me say Wrong. I've fought this battle for years from the help desk all the way up to network engineering. The only way to stop the madness is to think about it from the business' perspective and put the costs in terms they can understand.
Is this not what Kevin Mitnik has already displayed in public. Exploiting the lack of security displayed by most non-IT employees in large corporations?
It's not the IT department that's the problem. It's the higher ranking people that whine because their workstations lock after five minutes or because they have to enter their user name in after logging off or rebooting. But those people are so important that if they whine enough, they end up getting their way. Those are also the people that bitch because someone messed with their computer while they were away.
Everybody used FreeBSD and Xterms? What accounting package did your finance team use?
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Which is all well and good until the first genious logs into a non-virus filtered SSL Web based proxy and starts surfing finaldownloads.com. User education and management policy are just as important (if not moreso) than software solutions.
...the IT department where I work is so incompetent, no one would ever rely on them to clean up anything. ;)
The problem with corporate security is NOT that of the IT department, it is the users, who may or may not be in the IT dept.
This kind of attitude is a dangerous one for IT because if corporations start to think in this manner, it's only a matter of time before they start to "outsource" even more.
No, the problem IS with the user. The one who opens a suspect email, or who's visiting risky sites is the one who needs to pay the price for their mistakes. Downtime, or worse.
The attitude that "IT will clean things up if I get a virus" will quickly go away when people start getting reprimanded for unsafe practices.
Perhaps I'm just being a hard-ass, but I guarantee after one or two people get fired for surfing inappropriate sites, or opening an email with a virus, the problem will start to go away.
H.
When VCR's are outlawed, only outlaws will have VCR's.
Big company employees just don't see security as their responsibility.
That's because it's not their responsibility! It is the responsibility of the IT department.
workers do risky, even stupid, things at work, such as opening questionable e-mail messages or clicking on unknown Web site links.
I have no fear of opening my emails. I have no fear of clicking on (gasp!) unknown web sites. Any IT department that allows computers where such petty actions are actually threats to security is a pretty damn poor one indeed.
Set the rules, anyone who violates them gets fired (maybe three strikes or something for minor things).
Or, you fix your own mess. IT will get to it when they have time.
I've been employed in different companies where one or the other method was practiced, they both work.
Quick! Get rid of the hospitals, they are making us sick!
ogglelog
Heh, yeah, though the first time that happens, the IT geniouses should find a way to plug the hole and then it should never happen again.
At present, most companies don't filter web access at all and also install IE with Craptive-X for their users and then still has the audacity to blame the users for fucking up their machines.
This is equivalent to leaving a 4 year old in a candy store and expecting him not to take anything - or deliberately placing a drugged bull in the middle of a china shop.
Whatever happens then is your own damn fault...
Oh well, what the hell...
Maybe Doctors are a risk because
People tend to engage in dangerous/insecure/irresponsible habits (ie smoking eating crap etc...) because they know doctors and medican will clean up the mess.
You can say this about lots of things that are dangerous.
Yes, Windows has a whole heap of shortcomings and everybody loves to hate it. For the corporate world's desktops, its the only game in town.
You'd be suprise what major companies are only Mac only shops. I probaly shouldn't name names (because of my current job as an outsource person) but next time you look at a magazine rack at a store, you can bet more than two of those are mac only shops.
Not to mention a major clothing store has mostly Macs...
But yes the majority of the standard corps are Windows only. IMO the main reason Mac isn't used yet is because there is no really good Exchange replacement except for Lotus Notes.
There is Groupwise and Outlook for the Mac but they are crippled compared to their windows counter parts. Entourage can't even do delegation and "out of office" plug-ins so its not going to work as a replacement.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
...this site will have to do.
~Philly
"White lab rats cause cancer." /usr/bin/games/fortune
-
--
make install -not war
Cmon, the guys that actually download most of the stuff around the workplace are usually the IT guys.
Man, you should just get back to work fix the stuff and dont say anything, if you dont like it im afraid its not going to change, its simple human nature.
Ive done helpdesk for a long time now, and although most of the stuff i get calls on is pretty simple stuff, well, thats the reason i get paid.
My job is not to change the final users habits,
since they already have an assigned task!
Besides, i found that the more i thought about it, the less i actually enjoyed the work, and i would rather not become bitter over it.
*Make* me use the-pile-of-poo-OS, and I'll be abusing it.
Sometimes I wish mods would read the post before marking posts as 'Troll' or 'Offtopic'.
Try getting top-level government officials and executives in government agencies to cooperate with security requirements. I know FIRST-HAND that, at least in the VERY LARGE, PROMINENT, TOP-TIER government agency where I work, you can't tell the upper-brass anything-- and they're dumb as bricks when it comes to security, computer safety, opening questionable attachments, potential virus-laden mail, or even dealing with spam/phishing. They do really stupid shit and then blame everybody else for "lax security".
I'm sure that workers at companies without security guards are the paragon of vigilance.
...and is used to justify failing to provide security for those not able to fend for themselves.
The problem, of course, is that the idea is ridiculous. People, when faced with the choice between leaving New Orleans (how inconvenient!) or staying and *being taken care of by overproviding relief organizations after their lives are destroyed* rationally choose the latter?
Computer users aren't educated enough to maintain their own systems. They aren't making a choice between occasional security breaches or system failures and a constant low level of effort to keep things working. To them, computers break, and then they get fixed.
The parent should probably be marked "troll", but because of what passes for mere partisanship in the US, it is instead an insightful defense of the government.
If you want to make a legitimate argument, talk about federal flood insurance.
The big big company where I am currently working forces me to use windows. I requested Linux, and it would be better for my job: I am either doing email or connected to unix machines (Tru64, HP-UX and Sun).
:-/
But no, the corporate 'standard' is windows xp.
That's irony when you know they sell hardware with Linux pre-installed
They forces me to use windows, the security responsability is theirs.
All laptops, workstations, and PCs provided by the company are the property of the company. They are provided to help you do your job.
I do not fail; I succeed at finding out what does not work.
Everybody used FreeBSD and Xterms? What accounting package did your finance team use?
Good point. We had an MIS department that produced reports in Perl. They were on Xterminals too.
Sales and Marketing were in a completely different office (in another suburb) and they probably used Windows but I don't know, sorry.
The ISP was a manufacturer of XTerminals before becoming an ISP, hence the unix-centric focus and plenty of spare XTerminals.
I'm sure there must have been a Windows box with Quicken somewhere though. There always is, even if just for payroll... that's why I think you're right in pulling me up on it.
As I stated in my previous post this setup isn't appropriate under *all* conditions. I can't see a graphic design firm or advertising agency taking on this sort of setup any time soon for instance. My point is that this setup is very workable under a very good number of conditions, more than people think apparently.
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
Oh i don't know, when you're face to face with a set of 20 foot waves about to unload a few hundred tonnes of water on your head, the only help you can expect is from yourself. No government department, "safety net", charity, family or friends to lean on. Just your primal fear and weak and puny flesh and bone versus the full fury of the ocean.
Most surfers understand personal responsibility better than anyone else.
Oh you mean 'internet surfing', well can't help you there ;).
I don't know about guard rails, but the evidence suggests that both mandatory seatbelt laws (throughout the world) and mandatory bike helmet laws (in Australia and New Zealand) have not reduced the rate of death and serious injury of car occupants and bike riders respectively.
It's because of a well-known phenomenon called risk compensation.
That's like saying that police is the reason for crime because people don't lock their houses down as much knowing they can go there.
It's utter and ridiculous nonsense. Without IT departments people might (and I very much doubt it) be more careful with their computers, but as soon as something happens anyways (and it will), there is nobody there to clean it up and it will spread uncontrollably.
Bright idea, really. Let's dismantle the police, I'm sure crime rates will drop.
Assorted stuff I do sometimes: Lemuria.org
It's not that they're staffed by incompetents, it's that they're trying to increase security by making people think they're incompetent so they won't assume IT can fix their messes!
It's brilliant!
I have yet to work in a company (or even hear about one) where the MIS are not incompetent, footdragging anal-retentives; what planet is this article referring to?
No, the biggest security risk in any company is the use of Outlook, Word, and Windows.
Windows, with its tendency to default to executing things and hiding information from the user, so the average user doesn't always have a chance to know that they are executing code.
Word, with its builtin BASIC interpreter; I should think that would be obvious.
Outlook - need I say more?
I use Linux with Firefox and Thunderbird; I've even turned off HTML viewing in Firefox. I haven't been bothered with anything like viruses ever. Not once - but our Windows users are constantly under attack, and even though they constantly upgrade their virus filters, they still get infected.
Yes.
Amazing to see that "clicking on unknown links" is considered bad security practice. That's, like, the entire point of the Web! Somebody needs a better browser...
Their argument reminds me far too much of that argument by the auto industry against using safety glass in windshields because it would cause people to drive faster because they would feel too safe.
This sig has absolutely no significance and serves only to take up screen space and waste the time of the reader.
We try to keep our users informed and teach them what to do and what not to do when it comes to surfing, clicking and virus prevention. Nevertheless some manage to shoot themselves in the foot. Those who do, after being isolated from the network and shut down, are moved to the bottom of the help list and dealt with at the end of the day. I've found that making them simmer for a couple/few hours without a PC tends to drive the message home.
[ petulant rant ]
Well FUCK YOU! Fuck your mother, and fuck your sister, and the guy that does your laundry, and your household pets, and the horse you rode in on. FUCK all of it. You IT people are here to serve US. If you can't stand the heat, get out of the kitchen. He who hesitates is lost. Look before you leap. A penny saved is a penny earned. Why don't you go skiing? If architects designed buildings the way you IT people design your security procedures, then the first woodpecker that came along would be killed by some loser. There are 10 kinds of people in this world: one who understands binary, and six who don't.
I hope that I have made myself sufficiently abusive without being overly clear.
No they won't. Eventually, this will go up to the VP/SVP level, and then you have several VP/SVP's squaring off at the IT department and its chain. Guess who loses the executive politics battle if the CEO decides that IT is "out of control"?
That's not the issue we're discussing here. We're discussing ways to teach people to be responsible for their actions and not force IT to pay the price for cleaning up messes that shouldn't have happened in the first place. My suggestion implied that it was company policy that those costs be paid for from the budget of whatever department, division, project or whatever was responsible for it, instead of being paid for by IT.
It also assumed (though I didn't specify) that there'd be some objective way to decide who pays. Getting infected by a brand-new virus, before definitions are updated? IT pays. Getting infected with an old one because you opened an attachment from a total stranger? You made the mess, you pay for cleanup.
Good, inexpensive web hosting