Slashdot Mirror
IT Departments Are A Security Risk
stlhawkeye writes "An article at Information Week asks the question - is your IT department a security risk? The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess. 'That confidence,' says the article,'leads workers to do risky, even stupid, things at work, such as opening questionable e-mail messages or clicking on unknown Web site links.' Employee education and training doesn't help, either: '[S]ome workers slough off responsibility for even knowing about threats. Workers in larger companies don't worry about being educated. Big company employees just don't see security as their responsibility.'"
This is the same reasoning we used to use in high school when we'd drop our wrappers on the floor, spill soda and walk away...they get paid to clean it up, we're doing them a FAVOR by ensuring their job security.
The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess.
I see... just as the Fire Department is a fire risk, hospitals increase reckless activity, having a police force causes crime, etc.
How brilliant the author of this article must be to draw such an unusual conclusion!
Why Home users get into so much trouble. I don't think it's because they feel they can ignore security due to the existance of an IT department to clean up their mess, I feel it's because they try to think of this technology like any other technology, a blackbox that you push a few buttons and turn a few dials, something that is completely harmless.
Our company has consequences for stupid user action, up to and including employment termination, so uers are "motivated" to learn the dangers that might confront them and how to avoid them.
I can't count how many times each DAY that I hear and/or see someone in IT doing something they would scream at a "user" for doing.
It is plain and simple arrogance. From trash talking users to mocking auditors I see it all. Best yet is all the work done to keep users from doing something bad is amazingly and commoningly thwarted on the machines of the same IT staff.
In charge of security administation, most likely to bend the rules too.
Yeah there are good IT departments and I am not say where I work doesn't have a good one. Parts are very good but it isn't hard to find rules bent somewhere at any one time. If not for someone whose title begins with a "C" then its for someone in favor.
It doesn't help when you have so many different system types that you cannot find a single auditing company capable of covering them all. Of course it doesn't help when you don't take advantage of the opportunity SOX did provide and instead keep business as usual, just documented.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Any time a groups gets into the role of over-functioning for another, the other group starts to under-function. This isn't limited to IT and corporations. It would explain, among other things, why the poorest and most dependent folks in NO, were not more proactive with their own future in that disaster, instead waiting on the Government and charities to over-function for them. That choice was much more risky for them than just getting out of town earlier like many others decided to do on their own.
------ Michael A. Romig
But I think someone just need to point out that STUPID people are a security risk everywhere they are present.
Don't take life so seriously. No one makes it out alive.
What color is the sky on your planet?
I won't rehash the reasons why Linux isn't ready for the desktop.
Migrating to an all Apple strategy would hurt the bottom line as the hw is more expensive and there are a limited amount of biz apps that run on them, necessitataing the need for a big virtulization project on top of the new hw.
Yes, Windows has a whole heap of shortcomings and everybody loves to hate it. For the corporate world's desktops, its the only game in town.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
> I read the summary as if IT Department itself is a security risk
Your instincts are right. The article underrepresents this idea. An unchecked IT staff is the single greatest security risk a company typically has. Admins who don't check backups, who are not beholden to SLAs, who see themselves as excepted from policy, who are not externally required to maintain security, or who make cavalier changes are much worse than all but the most malevolent/careless users.
User education is a good idea, but it's still largely up to IT. That's our job, because we are in the best position to do it. If we don't at the very least prominently publish a policy and make it accessible (to a reasonable degree), we can't very well expect the user to intuit and follow it.
The whole concentration cubicle/punitive response idea is just stupid (it's unethical and it wouldn't work), but your other points are good.
Education and consequences.
Nobody takes security seriously because regular staff thinks that the IT guys are there to clean up the messes when they occur. What they don't understand is that the IT department is not there to be a janitor or babysitter. The IT department is there to provide the information infrastructure to enable the company and to ensure the company's information security. That doesn't necessarily include end users.
My personal philosophy is that end-users should be punished severely for security breaches. Sure the IT department will fix the problem, but the person who clicked on the link (or opened the email) needs to pay a price for their behaviour, otherwise they will continue to do it. Nearly every company has an IT AUP. Nearly every company says that you can be disciplined, including termination of employement, for violating the policy. Yet I have never worked at a company where day-to-day infractions (even those with security risks associated with them) were punished. Sure, every once in awhile someone gets fired for surfing porn, or when their misuse of the system affects their ability to work (goofing off online for hours), but who gets fired for forwarding chain letters with flash animations in them? Nobody.
This absolutely has to change. If you had a receptionist who let random strangers in to wander the halls of your building she would be disciplined and probably sacked. If you have a receptionist who forwards chain letters, clicks on suspicious links, downloads spyware and causes virus infections, the odds are nothing will happen to her.
Company officers think Information Security means securing the company with a firewall and looking out for hack attempts. They still don't take Information Security seriously, and until they do the rank-and-file won't either.
Education alone is not going to do it. Education that is reinforced with consequences will.
At first I was going to post a comment that maybe workers are to busy to worry about security so they leave it to IT to fix problems, but I thought about it and came to the conclusion if somone really is too busy then they won't have time for SPAM type email or for surfing.
So, I thought about it some more and came to the conclusion that it may simply be because of laziness. I work in a group of 12 programmers, 6 of which are either naturally tech savy or keep up with tech. These people have no issues with viruses and stuff like that. The others, the programmers who have been programming the same programming language, in the same industry, in the same one or two programs for 10+ years(granted there are some programmers with 10+ experiance and are not like this but most of them are) haven't read a technical book or done anything but the absolute bare mininum to get by for years and years. If 50% of programmers who SHOULD know better are too lazy to know exactly what they are doing when they are at a computer, what hope do IT departments have with people who think that there job is strictly whatever (accounting, being a doctor, being a pharmacist, etc) and the computers are for IT/Geeks. Too many people do not take pride in everything they do. They are content with being good enough. They are Lazy.
The problem is that the behavioral culture at work is exactly the same as it is everywhere else. People can't stand hardship, complexity, accountability, or even just the discomfort that comes from having to think for a moment. It shows up in how they drive, how they bank, how they prepare for bad weather, how they marry, how they study for exams, and how they surf. And to the extent that the largess of our economy allows for it to keep happening, it just keeps happening.
The crazy thing is that most of the reasons I've seen for stupid-IT-end-users getting the axe (the ultimate behavior modification) have nothing to do with their poor security-related behavior, but rather for the things they've done that might offend someone. You know:
"Well, of course we'll reset your cracked password again. But when you get back to the field office, be sure to tell Bob that he's probably going to lose his job over that whole Carmen Electra desktop wallpaper thing."
Don't disappoint your bird dog. Go to the range.
Not only are IT Departments a serious security risk for both the reasons that they give a false sense of security to the end user and that a simple mistake on thier side can have grave consequences. They are also mostly around in an attempt at securing thier own jobs.
It seems to me that 90% of all desktop maintenance could be performed by an informed end user. Instead IT locks down everyones computers and forces the end user to submit a request for help to do the most simple mundane things. These inlcude things like oh I don't know, installing the latest version of Java, Defraging your own hard drive, or changing the power management settings on your laptop. This is so demeaning to the end user that most give up and go with the flow. That is they see education in computers as useless since they can just pick up the phone and ask IT. So the very tactic that IT uses to secure thier jobs ensures that most end users are totally computer illiterate and therefore creates a serious security problem.
The IT department is a risk, the same as the accounting department, or the managers, or any other department is a risk. In order to accomplish anything, people have to have enough authority to do their job, and that authority comes with a risk. That's why you hire competant professionals and you put procedures in place. That's also why you need to enforce procedures, as much as everyone hates it. Remember the accountant that bought way too much stock?
It gets worse, though. Try working at a company who doesn't have a competant IT manager, but who won't give any authority to the competant IT people, because they are afraid of what they would do with it. You get a situation where if the IT people really don't have ethics (as the management seems to think), then they can get through the security easily because it isn't done right (as can anyone else at the company). You have to take some calculated risks, and they get harder in areas where you can't evaluate the risks personally.
On the other side of things, people do not do any better about protecting their computer if they don't have IT protecting them. Most people don't know any more about computer security than they do about fruitfly morphology, so they can't try harder when they don't have a safety net. Maybe the IT department should do some 'Internet Safety' training as part of their job, but not necessarily as harshly as you suggest.
I agree with the concept of "punishing" repeat offenders, but I doubt you'll get much support from department managers with your idea of issuing them a crappy machine. I would imagine you'd get more traction with department managers by informing them their employee has repeatedly subjected the company's sensitive data to risk, and should future incidents occur, this would be grounds for disciplinary action (up to and including termination). This of course depends on your company having established security policies - which are a pain in the neck to write, but worth it in the long run.
I've worked at companies where this has been effective, both for employees who were willfully irresponsible (repeatedly installing weatherbug, etc.), and those who were so unskilled as to be a complete nuisance to IT (calling every day with a question like "How do I print from Word again?").
-- -R
Wow. With your comment you sum up the real problem with IT depts. You assume you are even on the same level of importance with those you serve, let alone superior.
You are not there to "grant" the privledge of computing. You are there to "support" it. The people who do the actual work of the company are the ones who bring the money in. So if they want to open risky attachments, then fine. Harden your network to brace for that and be done with the issue.
Mac OS X and Windows XP working side by side to fight back the night.
At the moment I work at a fisheries in the country. I'm the only SA within 50 miles of here. I can't afford to be stuck up like I used to be, because I'd be the only one here that thinks I'm more important. I understand I'm not, and it makes people much easier to get along with.
Yes, it would negatively impact productivity in the short term, but in the long term, one of two things would happen: Either the "repeat offenders" would change their behavior, or their productivity would be reduced to the point where they became redundant.
Of course, this is in the fantasy world where IT workers are actually allowed to do their jobs (keeping the computers running smoothly and enhancing profitability for the company by improving efficiency), and where anyone in management can see beyond this quarter.
Never underestimate the power of stupid people in large groups.
I've worked in IT quite a long time, and I daily see scenarios where the non-computerized version of whatever task I'm doing was much more efficient and intelligent than the computerized "modern" version.
Case in point - labeling a package for shipping. If you can learn to print letters reasonably, this task takes about 10 seconds.
I currently have to dig ten web pages deep into a PeopleSoft application at my employer to even create a mailing label for an RMA, and the application doesn't even have the correct address for my customer's locations in it. I have to click "Override" and put in the shipping address manually because the customer has separate billing and shipping addresses.
Then since there's been no attempt at integration to our separate trouble ticketing system, I have to enter all that information again into another database.
Ultimately, it takes about 1/2 hour to create an RMA in our computerized systems.
In contrast, it takes about 10 seconds to write a mailing label and another 3 minutes to walk to the inventory cage, check off an inventory sheet by hand when removing product and hand it to the guy who packages stuff... if we could do that.
At some divisions of the company, I'm sure automated database driven ordering for just-in-time arrival of parts and things is helpful, but our division makes things that have to be put together long in advance and kept in stock. There's virtually no benefit to real-time asset tracking - no manager above our division level is looking at real-time numbers anyway. They're lucky if they look at the inventory numbers monthly. Thus, a monthly typed-up report in a spreadsheet would be just as effective as a multi-hundred-thousand dollar real-time system that wastes employees time to the tune of about a 10:1 ratio against a pen and company logo mailing label sticker.
Seriously, the world needs to look more carefully at some of our computerized processes and see if they're really as good as we think they are.
There are cases where a blank piece of paper, a pen, and a filing cabinet with a decent organization scheme would be faster -- but we want "computerized" because it's supposedly better.
+++OK ATH
OK, so that may not be a good example, but I'm sure there are others. If the data is "computerised", it should be easier to sort and sift and graph than if it's on paper.
And it sounds like your Peoplesoft app sucks - it ought to be able to handle multiple addresses and you shouldn't have to dig through 10 pages to get there.