Slashdot Mirror
IT Departments Are A Security Risk
stlhawkeye writes "An article at Information Week asks the question - is your IT department a security risk? The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess. 'That confidence,' says the article,'leads workers to do risky, even stupid, things at work, such as opening questionable e-mail messages or clicking on unknown Web site links.' Employee education and training doesn't help, either: '[S]ome workers slough off responsibility for even knowing about threats. Workers in larger companies don't worry about being educated. Big company employees just don't see security as their responsibility.'"
This is the same reasoning we used to use in high school when we'd drop our wrappers on the floor, spill soda and walk away...they get paid to clean it up, we're doing them a FAVOR by ensuring their job security.
The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess.
I see... just as the Fire Department is a fire risk, hospitals increase reckless activity, having a police force causes crime, etc.
How brilliant the author of this article must be to draw such an unusual conclusion!
Why Home users get into so much trouble. I don't think it's because they feel they can ignore security due to the existance of an IT department to clean up their mess, I feel it's because they try to think of this technology like any other technology, a blackbox that you push a few buttons and turn a few dials, something that is completely harmless.
Our company has consequences for stupid user action, up to and including employment termination, so uers are "motivated" to learn the dangers that might confront them and how to avoid them.
I can't count how many times each DAY that I hear and/or see someone in IT doing something they would scream at a "user" for doing.
It is plain and simple arrogance. From trash talking users to mocking auditors I see it all. Best yet is all the work done to keep users from doing something bad is amazingly and commoningly thwarted on the machines of the same IT staff.
In charge of security administation, most likely to bend the rules too.
Yeah there are good IT departments and I am not say where I work doesn't have a good one. Parts are very good but it isn't hard to find rules bent somewhere at any one time. If not for someone whose title begins with a "C" then its for someone in favor.
It doesn't help when you have so many different system types that you cannot find a single auditing company capable of covering them all. Of course it doesn't help when you don't take advantage of the opportunity SOX did provide and instead keep business as usual, just documented.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Any time a groups gets into the role of over-functioning for another, the other group starts to under-function. This isn't limited to IT and corporations. It would explain, among other things, why the poorest and most dependent folks in NO, were not more proactive with their own future in that disaster, instead waiting on the Government and charities to over-function for them. That choice was much more risky for them than just getting out of town earlier like many others decided to do on their own.
------ Michael A. Romig
Uh, is this article serious? Do employees throw their trash all over because there's a janitorial staff to clean it up? Does it mean that companies don't need anyone to clean up?
I doubt it.
Have fun: Join D.N.A. (National Dyslexics Association)
But I think someone just need to point out that STUPID people are a security risk everywhere they are present.
Don't take life so seriously. No one makes it out alive.
What color is the sky on your planet?
I won't rehash the reasons why Linux isn't ready for the desktop.
Migrating to an all Apple strategy would hurt the bottom line as the hw is more expensive and there are a limited amount of biz apps that run on them, necessitataing the need for a big virtulization project on top of the new hw.
Yes, Windows has a whole heap of shortcomings and everybody loves to hate it. For the corporate world's desktops, its the only game in town.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Where I work, we have one huge IT department. But alot of smaller departments opt to spend some of their money on IT guys who work only for them so they don't have to deal with the big IT nazi's. Of course the big IT dpt hates it.
I think if this is really the way to go. A small IT department that handles the major stuff as needed, and having an IT guy or two actually inside of each of the subdivisions of the company.
For us this has worked extremely well. The main IT department is not inundated with petty requests, and the department doesn't have to put in work orders for viruses that'll get filled like two weeks later (after they nix that department's network and internet access - true story!).
> I read the summary as if IT Department itself is a security risk
Your instincts are right. The article underrepresents this idea. An unchecked IT staff is the single greatest security risk a company typically has. Admins who don't check backups, who are not beholden to SLAs, who see themselves as excepted from policy, who are not externally required to maintain security, or who make cavalier changes are much worse than all but the most malevolent/careless users.
User education is a good idea, but it's still largely up to IT. That's our job, because we are in the best position to do it. If we don't at the very least prominently publish a policy and make it accessible (to a reasonable degree), we can't very well expect the user to intuit and follow it.
The whole concentration cubicle/punitive response idea is just stupid (it's unethical and it wouldn't work), but your other points are good.
Education and consequences.
Nobody takes security seriously because regular staff thinks that the IT guys are there to clean up the messes when they occur. What they don't understand is that the IT department is not there to be a janitor or babysitter. The IT department is there to provide the information infrastructure to enable the company and to ensure the company's information security. That doesn't necessarily include end users.
My personal philosophy is that end-users should be punished severely for security breaches. Sure the IT department will fix the problem, but the person who clicked on the link (or opened the email) needs to pay a price for their behaviour, otherwise they will continue to do it. Nearly every company has an IT AUP. Nearly every company says that you can be disciplined, including termination of employement, for violating the policy. Yet I have never worked at a company where day-to-day infractions (even those with security risks associated with them) were punished. Sure, every once in awhile someone gets fired for surfing porn, or when their misuse of the system affects their ability to work (goofing off online for hours), but who gets fired for forwarding chain letters with flash animations in them? Nobody.
This absolutely has to change. If you had a receptionist who let random strangers in to wander the halls of your building she would be disciplined and probably sacked. If you have a receptionist who forwards chain letters, clicks on suspicious links, downloads spyware and causes virus infections, the odds are nothing will happen to her.
Company officers think Information Security means securing the company with a firewall and looking out for hack attempts. They still don't take Information Security seriously, and until they do the rank-and-file won't either.
Education alone is not going to do it. Education that is reinforced with consequences will.
At first I was going to post a comment that maybe workers are to busy to worry about security so they leave it to IT to fix problems, but I thought about it and came to the conclusion if somone really is too busy then they won't have time for SPAM type email or for surfing.
So, I thought about it some more and came to the conclusion that it may simply be because of laziness. I work in a group of 12 programmers, 6 of which are either naturally tech savy or keep up with tech. These people have no issues with viruses and stuff like that. The others, the programmers who have been programming the same programming language, in the same industry, in the same one or two programs for 10+ years(granted there are some programmers with 10+ experiance and are not like this but most of them are) haven't read a technical book or done anything but the absolute bare mininum to get by for years and years. If 50% of programmers who SHOULD know better are too lazy to know exactly what they are doing when they are at a computer, what hope do IT departments have with people who think that there job is strictly whatever (accounting, being a doctor, being a pharmacist, etc) and the computers are for IT/Geeks. Too many people do not take pride in everything they do. They are content with being good enough. They are Lazy.
The problem is that the behavioral culture at work is exactly the same as it is everywhere else. People can't stand hardship, complexity, accountability, or even just the discomfort that comes from having to think for a moment. It shows up in how they drive, how they bank, how they prepare for bad weather, how they marry, how they study for exams, and how they surf. And to the extent that the largess of our economy allows for it to keep happening, it just keeps happening.
The crazy thing is that most of the reasons I've seen for stupid-IT-end-users getting the axe (the ultimate behavior modification) have nothing to do with their poor security-related behavior, but rather for the things they've done that might offend someone. You know:
"Well, of course we'll reset your cracked password again. But when you get back to the field office, be sure to tell Bob that he's probably going to lose his job over that whole Carmen Electra desktop wallpaper thing."
Don't disappoint your bird dog. Go to the range.
AC says: "My personal philosophy is that end-users should be punished severely for security breaches. "
I have found, working in various IT departments, that if your users know they will get whacked for having caught a virus, they will never report the virus until it is hurting them worse than IT will. In that case, the virus has spread through other machines and the mess is bigger to clean up.
Failures of the environment should be about as common as power failures.
Except:
Users load the wrong paper in the wrong tray, mix up the color stix in the Phasor, etc. To be sure you could hire extra heads to do these things proactivly (sp?), but you don't have the budget for that. If you rely on the users to notify you then you are back where you started. Usually the user who thinks they know what they are doing are the ones who don't and fsck it up.
In the case of the power line, the system protects its self from the stupid people (or at least ensures they only try once).
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
Not only are IT Departments a serious security risk for both the reasons that they give a false sense of security to the end user and that a simple mistake on thier side can have grave consequences. They are also mostly around in an attempt at securing thier own jobs.
It seems to me that 90% of all desktop maintenance could be performed by an informed end user. Instead IT locks down everyones computers and forces the end user to submit a request for help to do the most simple mundane things. These inlcude things like oh I don't know, installing the latest version of Java, Defraging your own hard drive, or changing the power management settings on your laptop. This is so demeaning to the end user that most give up and go with the flow. That is they see education in computers as useless since they can just pick up the phone and ask IT. So the very tactic that IT uses to secure thier jobs ensures that most end users are totally computer illiterate and therefore creates a serious security problem.
The IT department is a risk, the same as the accounting department, or the managers, or any other department is a risk. In order to accomplish anything, people have to have enough authority to do their job, and that authority comes with a risk. That's why you hire competant professionals and you put procedures in place. That's also why you need to enforce procedures, as much as everyone hates it. Remember the accountant that bought way too much stock?
It gets worse, though. Try working at a company who doesn't have a competant IT manager, but who won't give any authority to the competant IT people, because they are afraid of what they would do with it. You get a situation where if the IT people really don't have ethics (as the management seems to think), then they can get through the security easily because it isn't done right (as can anyone else at the company). You have to take some calculated risks, and they get harder in areas where you can't evaluate the risks personally.
On the other side of things, people do not do any better about protecting their computer if they don't have IT protecting them. Most people don't know any more about computer security than they do about fruitfly morphology, so they can't try harder when they don't have a safety net. Maybe the IT department should do some 'Internet Safety' training as part of their job, but not necessarily as harshly as you suggest.
Guess who gets reamed by the CEO because the package didn't go out? Usually the IT department. "Why was the printer broken? Why couldn't you fix it?"....not, "Bob, why did you wait until 5 minutes before your deadline?"
Sure boss, I fixed the printer. It took 15 minutes because I had to go downstairs to get more toner. Bob missed the pickup, but oddly enough, wasn't around to trot the package down to the fedex shop that was open until 6.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
I agree with the concept of "punishing" repeat offenders, but I doubt you'll get much support from department managers with your idea of issuing them a crappy machine. I would imagine you'd get more traction with department managers by informing them their employee has repeatedly subjected the company's sensitive data to risk, and should future incidents occur, this would be grounds for disciplinary action (up to and including termination). This of course depends on your company having established security policies - which are a pain in the neck to write, but worth it in the long run.
I've worked at companies where this has been effective, both for employees who were willfully irresponsible (repeatedly installing weatherbug, etc.), and those who were so unskilled as to be a complete nuisance to IT (calling every day with a question like "How do I print from Word again?").
-- -R
It is like saying that having a QA department lowers your quality. Sometimes true. Sometimes not.
Avoid Missing Ball for High Score
On your arrogance comment. I was on the IT side of things for around 8 years in 4 different places (including a university) where I was, or was a part of the IT department. We all did things that we would have reimaged a user's computer for. On a daily basis. With one of my co-workers at the univ., I legitimately reimaged (it had died from misuse) more times than any user. wow. Now I'm IT Audit at a big 4 firm... and I see that the IT departments I worked at were actually good. I hear a lot of the arrogance of which you speak. Not to brag or anything, but even the newbies over here are incredibly intelligent and, generally speaking, know more than the senior vps, cios, it directors, etc combined. I think the arrogance is a defense mechanism in most cases for having, in ascending order: a) a crappy job i) crappy mgmt ii) crappy IT security policies b) crappy attitude c) lack of knowledge that's my $.02 But most IT people are better, now that I deal with almost exclusively Fortune 500 people. Which, should be the opposite if arrogance is a result of actual knowledge or success as many people think. btw, I think all the big-4 have enough expertise and experience to audit all your systems, but I may be wrong. ---- my username has a long history, don't asque
For example, if a user clicked on an obvious suspicious link (spoofed by yours truly IT Department of course), his computer will be taken away for "maintenance" for a week, and he'll be assigned to another area of the office with a crappy machine. This way, not only does he suffer from his action, others will know why he is working at the "Concentration Cubicle".
Yeah, nothing helps employee morale quite like feeling as though their in a Dilbert comic strip.
Can you imagine having a friend come home from work and describing to you that they've been put at the 'Concentration Cubicle' for a week and their productivity is going to nearly disappear just because management felt they deserved being treated like a 3-year-old?
I'd quit if that happened to me. Of course, I run firefox on Linux, but it'd still piss me off.
World Changing - News for Humans, Stuff about our planet
~~~
Wow. With your comment you sum up the real problem with IT depts. You assume you are even on the same level of importance with those you serve, let alone superior.
You are not there to "grant" the privledge of computing. You are there to "support" it. The people who do the actual work of the company are the ones who bring the money in. So if they want to open risky attachments, then fine. Harden your network to brace for that and be done with the issue.
Mac OS X and Windows XP working side by side to fight back the night.
Both sides of this debate are correct. Simply having protection does not create the behaviour you are trying to protect against. BUT, users will get lazy and complacent the more they are coddled. The lazier and more complacent they become the louder they whine and complain. Management looks at the situation and decides IT needs to do more with le$$. It's a downward spiral from there.
We can't rely on acceptable use policies with no teeth. And we can't expect C-level executives to make the rules and enforce them. At the risk of being flamed into oblivion let me say, IT needs to grow a pair and lay down the law.
We need to take a long hard look at the business and figure out what THEIR pain is if the users screw up. You can talk about spyware and anti-virus until you're blue in the face and most non-techies will just glaze over. But, when you tell a sales exec that a "million dollar proposal" could be delayed by several hours because his numb-nut sales reps are infested with spam-bots, ears perk up - FAST.
As painful as it may be, we have to think outside the tech realm. We have to understand what the business thinks is important and play off that. Once you start putting dollar values on consequences - in terms the business can understand - funding and policies with teeth are right around the corner. Or, we can sit and whine like users.
Before anyone says I must be management or an MBA weener let me say Wrong. I've fought this battle for years from the help desk all the way up to network engineering. The only way to stop the madness is to think about it from the business' perspective and put the costs in terms they can understand.
At the moment I work at a fisheries in the country. I'm the only SA within 50 miles of here. I can't afford to be stuck up like I used to be, because I'd be the only one here that thinks I'm more important. I understand I'm not, and it makes people much easier to get along with.
It's not the IT department that's the problem. It's the higher ranking people that whine because their workstations lock after five minutes or because they have to enter their user name in after logging off or rebooting. But those people are so important that if they whine enough, they end up getting their way. Those are also the people that bitch because someone messed with their computer while they were away.
Yes, it would negatively impact productivity in the short term, but in the long term, one of two things would happen: Either the "repeat offenders" would change their behavior, or their productivity would be reduced to the point where they became redundant.
Of course, this is in the fantasy world where IT workers are actually allowed to do their jobs (keeping the computers running smoothly and enhancing profitability for the company by improving efficiency), and where anyone in management can see beyond this quarter.
Never underestimate the power of stupid people in large groups.
Quick! Get rid of the hospitals, they are making us sick!
ogglelog
I've worked in IT quite a long time, and I daily see scenarios where the non-computerized version of whatever task I'm doing was much more efficient and intelligent than the computerized "modern" version.
Case in point - labeling a package for shipping. If you can learn to print letters reasonably, this task takes about 10 seconds.
I currently have to dig ten web pages deep into a PeopleSoft application at my employer to even create a mailing label for an RMA, and the application doesn't even have the correct address for my customer's locations in it. I have to click "Override" and put in the shipping address manually because the customer has separate billing and shipping addresses.
Then since there's been no attempt at integration to our separate trouble ticketing system, I have to enter all that information again into another database.
Ultimately, it takes about 1/2 hour to create an RMA in our computerized systems.
In contrast, it takes about 10 seconds to write a mailing label and another 3 minutes to walk to the inventory cage, check off an inventory sheet by hand when removing product and hand it to the guy who packages stuff... if we could do that.
At some divisions of the company, I'm sure automated database driven ordering for just-in-time arrival of parts and things is helpful, but our division makes things that have to be put together long in advance and kept in stock. There's virtually no benefit to real-time asset tracking - no manager above our division level is looking at real-time numbers anyway. They're lucky if they look at the inventory numbers monthly. Thus, a monthly typed-up report in a spreadsheet would be just as effective as a multi-hundred-thousand dollar real-time system that wastes employees time to the tune of about a 10:1 ratio against a pen and company logo mailing label sticker.
Seriously, the world needs to look more carefully at some of our computerized processes and see if they're really as good as we think they are.
There are cases where a blank piece of paper, a pen, and a filing cabinet with a decent organization scheme would be faster -- but we want "computerized" because it's supposedly better.
+++OK ATH
So you think IT is beneath every other dept? Ok, who's got the superior-than-thou attitude now? Take yourself down a notch there, fella. So who brings in the money? Is it marketing? It is support? Is it management? Guess what? Almost every department is there to support another. That's how a company works. But I wouldn't expect you to understand that with the ego you have.
Sometimes, IT *IS* the company and that's what brings the money in.
You sound like a clueless user who got bitch-slapped and is trying to defend your carefree attitude. "I should be able to open anything I want! I should not be held accountable for my actions! It's the IT department's fault, not MINE!!" Christ, take some responsibility for a change.
OK, so that may not be a good example, but I'm sure there are others. If the data is "computerised", it should be easier to sort and sift and graph than if it's on paper.
And it sounds like your Peoplesoft app sucks - it ought to be able to handle multiple addresses and you shouldn't have to dig through 10 pages to get there.
I found a book on the mezzanine level just outside our server room the other day.
"Businessman's Guide to Microcomputers" - by Deloitte Haskins + Sells (an accountancy firm). This book was printed in 1984. First edition 1982. It says this at the end in the section "Common first-time buyer pitfalls":
This lesson from 21 years ago *still hasn't been learned* in many quarters (even some IT departments don't appear to understand this). Allow users of the corporate network do whatever they want with liberal abandon, and...well...the entire business pays the consequences later.
Oolite: Elite-like game. For Mac, Linux and Windows
That's smart, fire the arrogant guys who work for you, and hire the even more arrogant guys to work for you on contract.
Everything I've ever seen or heard has suggested that outsourcing IT departments is on the dumbest moves any company can make. You simply can not afford to make your company entirely dependent on another company.
Fanatically anti-fanatical