Slashdot Mirror
IT Departments Are A Security Risk
stlhawkeye writes "An article at Information Week asks the question - is your IT department a security risk? The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess. 'That confidence,' says the article,'leads workers to do risky, even stupid, things at work, such as opening questionable e-mail messages or clicking on unknown Web site links.' Employee education and training doesn't help, either: '[S]ome workers slough off responsibility for even knowing about threats. Workers in larger companies don't worry about being educated. Big company employees just don't see security as their responsibility.'"
I read the summary as if IT Department itself is a security risk, because they have the highest level of access to everything on the network, and one wee mistake, such as failure to lock an unattended admin pc, inappropriate disposal of a backup tape, a misconfigured spam filter and whatnot can easily knock out the company for at least a few hours or cause great harms.
Having said that, it's also true that computer users protected by a competent IT Department do get spoiled and when they're out with a laptop, they can easily be infected on a dial-up. It's like kids with over-protective parents will likely to get hurt/scammed/killed more easily when they're alone.
This naturally leads to the most important discussion in the article, i.e. user education. And I believe in order to really get the message through, IT Department needs to have some sort of security drill (like fire drill, annoying but everybody gets the idea after several attempts).
For example, if a user clicked on an obvious suspicious link (spoofed by yours truly IT Department of course), his computer will be taken away for "maintenance" for a week, and he'll be assigned to another area of the office with a crappy machine. This way, not only does he suffer from his action, others will know why he is working at the "Concentration Cubicle".
Rock that crushes, Paper & Scissors that don't matter.
It was not rare in the past, that the IT guys themselves were the thread to the company.
;)
Quite often they served the company's bandwith for warez exchange, as we all know...
My Blog: "sum it up - News, emotions and science"
The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess.
This is assuming, of course, that the IT department is very lax on their users. Besides the fact that the users should be locked down to the point where irresponsible computing isn't as much of an issue, IT shouldn't be just allowing this behaviour to continue. Mindlessly cleaning things up without trying to change them is the problem, not having the department.
If you get punched in the face every time you drop a cigarrette butt on the ground, you're going to stop dropping them. The same principle should apply here. Punish the user for bad behavior, and they'll eventually stop.
After almost a decade in IT, I can tell you why there is this expectation. When it comes to fuckups, IT is usually the last guy to get the hot potato, and they're expected to save the day.
Any time a user screws up, the IT department is EXPECTED to save the day by upper management. If they don't, it is (rarely) the fault of the employee, it's the fault of the IT department for not anticipating such a need, or not being available at a second's notice, or simply not being able to save someone else's bacon. Often times we're asked to perform miracles.
It sounds reasonable, until you cross professions. Someone drives off the company driveway, crashes their car into a tree, car bursts into flames. Do the facilities people get in trouble for not ancticipating the employee who leaned over to pick up his cell phone off the floor while driving, and failed to install a nice big inflatable barrier along all the roads? Of course not. Yet IT departments are expected to back up everything known to man, expected to resurrect deleted+overwritten files...
Another example- it's 4:55pm and Fedex comes at 5 to pick up a package that is going to The Big Client. The employee has procrastinated working on it, and goes to print at 4:57. There's something wrong with the printer or their system. Guess whose emergency it becomes? Guess who gets screamed at on the telephone? Guess who gets reamed by the CEO because the package didn't go out? Usually the IT department. "Why was the printer broken? Why couldn't you fix it?"....not, "Bob, why did you wait until 5 minutes before your deadline?"
Please help metamoderate.
What the article doesn't point out is the obvious tradeoff. By having an IT department to manage risk, companies enjoy lower risk but the risk profile changes. IT departments will routinely reghost machines with unauthorized software and that, arguably, is a strong benefit. Once users lose enough data from having not backed up their machine prior to it being reghosted, they learn to backup their data more frequently or not install unauthorized software (assuming they have the administrative rights to install that software in the first place.)
What that means, generally, is that problems from unauthorized software will be minimized and other problems will be magnified in comparison. I note that the author of that article didn't offer a solution to this perceived problem.
Perhaps a deeper problem is that IT security represents, to the company, what an economist would refer to as a "public good." Your department will enjoy the protection of powerful firewalls, anti-virus protection and locked down machines even if the costs are not applied directly to your department's budget. As a result, I've frequently seen business departments argue against increased funding for IT security in the mistaken belief that the potentially negative impact on their budget will hurt them. They somehow believe that if they do not pay for the security directly, the IT department will magically find other solutions for those problems.
Only increased employee education about the dangers inherent in their actions seems to be a viable method of reducing this problem.
These tired ownership society attitudes assume actions result from a lack of vested interest while discounting the training issues.
Other postings in this topic lament being on the receiving end of the blame game. Get used to life because there are many situations where others will shift responsibility to high-horse IT employees who, like most others, are not immune to accusations. A little dialog can go far in diffusing the following situation:
[BOSS] John couldn't get that package out to big client yesterday. Why was the printer down?
[IT] Equipment sometimes fails and we put in 110% to keep things running.
[BOSS] Yeah, we lost a million-dollar contract due to your incompetence.
[IT] I suppose it would be fair to ask why Marketing waited until 4:55 to make their print out?
[BOSS] Because they were putting in 14-hour days for the past week. The printer needs to be working during times of crisis.
[IT] If it was so critical, we would have posted someone to continually monitor the printer had Marketing given us the heads up of their deadline.
If you have an unreasonable boss, run fast. These blame throwing tirades are just that.
signature pending slashdot approval
Any IT Dept that adamantly refuses to incorporate, or even switch to, an alternate OS for purely selfish reasons is certainly a problem.
When upper management asks for recommendations and the same old, tired, arguments for sticking with a Windows Only environment are trotted out by the MCSE's in the basement, then IT is doing the company a disservice.
Bah! You're being ridiculous. The single largest factor in determining which platform a company should use for any given purpose is "what platform does our desired application run on." If the market leading product for your particular purpose only runs on Windows, you're going to run Windows. If your application runs on Linux, you'll run Linux. This is the single biggest hole in the vision of certain OSS zealots (and I do prefer OSS software, just not necessarily Linux 100% of the time).
Here's a perfect example. I was involved with a startup about 2 years ago that was going to be a specialty surgical hospital. This was to be a small (less than 50 bed) hospital that focused on a very narrow branch of specialty medicene. The IT department varied from 3-5 staff members over time, including a director. For this hospital we needed the following systems:
Lab information system
Radiology information system
PACS system
Transcription system
Registration system
Patient accounting system
Clinical documentation system
Clinical ordering system
Medical record system
CPT coding system
Surgery scheduling system
Surgery documentation system
Nurse call system
Security and surveillance system
Numerous database and instrument interface systems
Email system
File and print sharing
Intranet site
Directory services
General office systems
Decision support systems
Database analysis systems
Computerized faxing system
And so on...
Newsflash! This hospital's IT infrastructure could only have been built on a Windows platform. Now I won't say that Windows is the only OS that has all of these sorts of applications available (especially since two of those systems run on AIX servers, though with Windows clients). But if there are OSS, Linux, or Debian versions of these applications they certainly are not best of breed, and they absolutely do not have the support of a large company that is a leader in the healthcare software field. And with a IT department of 5 people or less, they were hardly in a position to "roll their own."
That's probably a more eloquent response than a troll post like yours deserves, but I think that it's important that people realize that it's not the "bunch of MCSEs in the basement" that drives purchase decisions for large companies.
You have not given us any examples, but this may well be perfectly rational behaviour. The rules for when it is an is not safe to do a particular thing can be quite complex, and it is not reasonable to expect an end user to be familiar with all of them - they have another job they need to worry about. For example, an IT department will often tell people never to open attachments, but the real rule is much more complex, and IT people are much more likely to know when it is and is not safe to open an attachment.
I must be one of the few people who work in a secure environment. We have security rules drilled into our heads routinely, and to a lot of us they're just common sense. Yes, there are people in IT who install unauthorized shareware, but if anyone introduces a virus to the network, whether in IT or not, it's easy to find out where it originated. That person is then made a spectacle of (only as a side effect) by the response staff as they lock down the person's workspace and haul away their PC like it was radioactive. Management, as you might imagine, finds little humor in these events. An occurence like this is a reflection on management (as far as upper management is concerned), and the risk and lost productivity can cost the boss his or her job. Thus, anyone who does this more than once probably doesn't have much network access after that, assuming they even have a job at that point. (Violating the security policy can be cause for termination, and it is enforced.) Just my two cents.
This space intentionally left blank.
I feel it's because they try to think of this technology like any other technology, a blackbox that you push a few buttons and turn a few dials, something that is completely harmless.
Yet these same people manage to operate a gas oven, steam iron, and mechanical automobile most of the time without incident. I don't see why they treat computers with such stupidity... I think it's because they view this intarweb thingy as not exactly real and that it doesn't really affect the real world at all, but I could be wrong.
But I get what you're saying though.
C17H21NO4
yes, that makes PERFECT sense
No, it's not ensuring their job security. The interaction with the end users/students is the least important part of their job. I don't know what else high school janitors have to do, maybe disinfect every classroom and fix broken things, there are probably enough routine daily tasks that ensure them keeping their job, no it doesn't include the occasional spilled soda and dropped candy bar. IT staff has to deal with maintaining everything the end users/common office minions doesn't even know exists. I'm sure your IT staff wouldn't like it when the testing of the latest piece of major software or windows patches or new thing that might make the standard drive image crash has to be put off because some fool of an intern in marketing got some virus and/or spyware while goofing off playing some flash game instead of doing whatever marketing does and they loose a day cleaning up after them. Don't confuse network operations(IT) with a HelpDesk or damage control. Even then their main reason for being there is to be experts on and help with the company's mission critical applications, not virus/spyware removal. What happens when someone finds a way to setup a rouge WAP? Depending on the size of the company it might take a while to find and that's possible to happen in companies with and without IT depts.
You could enforce a "the Internet is a privlage" policy. In most cases all your average employee needs is access to the corporate network for internal email and whatever resources they job requires and maybe a select few sites of affiliates/partners/clients which can be allowed by firewall. When a virus is traced back to someone, instead of giving them a slower machine and possibly lowering productivity cut off their Internet access, it will raise their productivity by removing the big distraction that is the Internet.
F7 doesn't work, ignore spelling and grammar
That's pretty much how it works. That's how it was for me during a takeover at one of my pervious empoyers. They fired everybody except the head IT guy, at a 24 hour operation of 200 or so employees. Our systems were all getting messed up and nobody had any permissions to even defrag, scandisk or clean out temp files. We had permission to run two applications, one of which was the calculator. I nearly got fired for finding a workaround in the security in order to repair our workstations so we could get some work done. ...actually, now that I think about it, one of my workarounds involved l0pht, but that's beside the point.
well gas ovens are pretty simple really and at least here in britan they add a stinky substance to the gas so you can smell leaks. also obvious danger of bodiliy harm makes people take more care.
steam irons are again pretty simple and again have an obvious danger of bodily harm so again people take more care.
cars have a mandatory training and licensing programme in all civilised countries i know of.
the problem with computers is people view them like a vcr or a phone, something where they can't really do any harm through ignorance. Sadly in the days of the e-mail instant messaging online shopping etc this simply isn't the case.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Some of that is justifiable. You don't give a 4 year old a set of sharp scissors to cut his construction paper, you give him a set of those stamped safety scissors. But then YOU aren't going to use those safety scissors are you? Of course not.
Here I sit, drinking a tall glass of milk, setting it down 5" from my laptop. I would never advise an 'average user' to do this, because average users are klutzes and when they dump a can of pepsi into their laptop's keyboard I'll be the one that gets to fix it, so I will say "no food around computers" and proceed to pour another tall glass of milk.
It's not hypocracy, it's "who is responsible enough for the privledge". And with no background history to go on, all users are by default considered klutzes and do not have food or drink anywhere near the computer.
Now if a user sees an IT person drinking a cup of coffee at their console they sometimes will flip out and cry foul, "why can't I do that?" But then again little kids will whine equally when they see their older brother with the "real scissors" and they get handed the chrome safeties. Doesn't mean the little tike should get the sharp ones now does it? It's not being unfair, it's just a matter of risk management.
It's also not a matter of playing favorites. A good friend of mine is a klutz. It's very rare to spend 20 minutes around him and NOT see him drop something. I would not advise him to eat around his computer either.
Anyway, enough about eating around computers, the concept extends to any other risky behavior around computers really, in much the same way.
I work for the Department of Redundancy Department.
Set the rules, anyone who violates them gets fired (maybe three strikes or something for minor things).
Or, you fix your own mess. IT will get to it when they have time.
I've been employed in different companies where one or the other method was practiced, they both work.