Slashdot Mirror
IT Departments Are A Security Risk
stlhawkeye writes "An article at Information Week asks the question - is your IT department a security risk? The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess. 'That confidence,' says the article,'leads workers to do risky, even stupid, things at work, such as opening questionable e-mail messages or clicking on unknown Web site links.' Employee education and training doesn't help, either: '[S]ome workers slough off responsibility for even knowing about threats. Workers in larger companies don't worry about being educated. Big company employees just don't see security as their responsibility.'"
I worked as a contractor to a large soft drink company some years back, and their corporate culture made it hard to fire most employees. However, they took improper computer / network use seriously and included it in their corporate code of conduct. Violating the CoC was about the only way you as an employee there could get fired, and they followed it. They even had security walk an upper management person out the door the day his little escapades took down a large segment of the network in his building.
Thus, as far as I have seen, it is all about not only having a good IT department, but having good company policies and proper enforcement to support it.
-SS "Teach the ignorant, care for the dumb, and punish the stupid."
I won't rehash the reasons why Linux isn't ready for the desktop.
It depends on the business.
I used to work for an ISP that utilised XTerminals w/4M Ram for all departments, including customer service. The apps ran on FreeBSD.
It was a DE of: fvwm (although I ended up moving to olvwm), exmh and Netscape.
Sure it wasn't the prettiest thing in the world and it's not appropriate under all conditions but for the role we had it doing it was fine. No-one complained: they could do their work.
One of the great things was these machines had no hard drive. That alone reduced maintenance costs significantly and when a machine crashed you could reboot with almost reckless abandon.
The XTerminals with centralised server setup is a great demonstration of the elegance and manageability of X and Unix. Having all client data and applications on one server that can be scanned for viruses, backed up, etc. is wonderful. Being able to roll out (or roll back) new versions of applications to all clients by changing one symlink is powerful.
I know you can do similar things with Citrix but I only really hear horror stories about that product and it costs more than most businesses can afford. MS Terminal Services is pretty good but it still feels like an add-on product/hack like VNC rather than a network-transparent desktop environment.
Cheers
Stor
"Yeah well there's a lot of stuff that should be, but isn't"
> You are not there to "grant" the privledge of computing. You are there to "support" it.
Good point, although you stated it more bluntly than I would have.
> The people who do the actual work of the company are the ones who bring the money in.
True, although sometimes this is the IT staff.
> So if they want to open risky attachments, then fine. Harden your network to brace for that and be done with the issue.
The management at most firms I know would not agree with this. It's not enough to harden the network. Users who open risky attachments can lose data from their local drives which is difficult or impossible to replace. Even if the network prevents infection, a great deal of damage can still be done.
I feel that IT support and IT security decision making need to be separate functions. Support people are not the right ones to restrict the actions of the staff, but sometimes it is necessary to do so. And sometimes the people who need to be restricted are the IT support staff.