Slashdot Mirror
IT Departments Are A Security Risk
stlhawkeye writes "An article at Information Week asks the question - is your IT department a security risk? The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess. 'That confidence,' says the article,'leads workers to do risky, even stupid, things at work, such as opening questionable e-mail messages or clicking on unknown Web site links.' Employee education and training doesn't help, either: '[S]ome workers slough off responsibility for even knowing about threats. Workers in larger companies don't worry about being educated. Big company employees just don't see security as their responsibility.'"
I worked as a contractor to a large soft drink company some years back, and their corporate culture made it hard to fire most employees. However, they took improper computer / network use seriously and included it in their corporate code of conduct. Violating the CoC was about the only way you as an employee there could get fired, and they followed it. They even had security walk an upper management person out the door the day his little escapades took down a large segment of the network in his building.
Thus, as far as I have seen, it is all about not only having a good IT department, but having good company policies and proper enforcement to support it.
-SS "Teach the ignorant, care for the dumb, and punish the stupid."
. As someone who supports several large companies networks, I've seen both kinds. Some companies just don't care. They think that network problems due to careless, idiot users is just par for the course. They will just continue to pay to have you constantly fix problems that wouldn't be problems if they fired a person or two for screwing things up. Then you have companies that set limits from the get go. The network crew isn't there to pick up after them. In fact they are there to tell the boss who's causing the problems. After a few people get smacked around by the boss, you'd be surprised at how quickly clueless users become caring, semi-responsible users. The only downside is that they call a lot more often asking ridiculous questions. But I guess it's better than the alternative.
I have to say, I've been in more than a few IT departments that use their position and their management's ignorance to host everything from game servers to MP3 servers. Ordinary users can't even think of attempting these activities. It's great to be in IT!!! :D
Utility grade computing is easy as hell if you have the money for it. Who are you kidding?
It's when you get the IT department squeezed into leasing crap copier/printers (for example) that the infrastructure starts to degrade. And you can only have 1, because 2 is a waste compared to flying sales-douches all over the country to wine and dine people who won't buy anything anyway. And suddenly all the execs need $5k Vaio laptops so they look good at meetings, but IT can't get $2000/year to send the backup tapes to offsite storage.
All that said, utility grade users would still be great compared to most of them.
I won't rehash the reasons why Linux isn't ready for the desktop.
It depends on the business.
I used to work for an ISP that utilised XTerminals w/4M Ram for all departments, including customer service. The apps ran on FreeBSD.
It was a DE of: fvwm (although I ended up moving to olvwm), exmh and Netscape.
Sure it wasn't the prettiest thing in the world and it's not appropriate under all conditions but for the role we had it doing it was fine. No-one complained: they could do their work.
One of the great things was these machines had no hard drive. That alone reduced maintenance costs significantly and when a machine crashed you could reboot with almost reckless abandon.
The XTerminals with centralised server setup is a great demonstration of the elegance and manageability of X and Unix. Having all client data and applications on one server that can be scanned for viruses, backed up, etc. is wonderful. Being able to roll out (or roll back) new versions of applications to all clients by changing one symlink is powerful.
I know you can do similar things with Citrix but I only really hear horror stories about that product and it costs more than most businesses can afford. MS Terminal Services is pretty good but it still feels like an add-on product/hack like VNC rather than a network-transparent desktop environment.
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
> You are not there to "grant" the privledge of computing. You are there to "support" it.
Good point, although you stated it more bluntly than I would have.
> The people who do the actual work of the company are the ones who bring the money in.
True, although sometimes this is the IT staff.
> So if they want to open risky attachments, then fine. Harden your network to brace for that and be done with the issue.
The management at most firms I know would not agree with this. It's not enough to harden the network. Users who open risky attachments can lose data from their local drives which is difficult or impossible to replace. Even if the network prevents infection, a great deal of damage can still be done.
I feel that IT support and IT security decision making need to be separate functions. Support people are not the right ones to restrict the actions of the staff, but sometimes it is necessary to do so. And sometimes the people who need to be restricted are the IT support staff.
Everybody used FreeBSD and Xterms? What accounting package did your finance team use?
Good point. We had an MIS department that produced reports in Perl. They were on Xterminals too.
Sales and Marketing were in a completely different office (in another suburb) and they probably used Windows but I don't know, sorry.
The ISP was a manufacturer of XTerminals before becoming an ISP, hence the unix-centric focus and plenty of spare XTerminals.
I'm sure there must have been a Windows box with Quicken somewhere though. There always is, even if just for payroll... that's why I think you're right in pulling me up on it.
As I stated in my previous post this setup isn't appropriate under *all* conditions. I can't see a graphic design firm or advertising agency taking on this sort of setup any time soon for instance. My point is that this setup is very workable under a very good number of conditions, more than people think apparently.
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"