IT Departments Are A Security Risk

stlhawkeye writes "An article at Information Week asks the question - is your IT department a security risk? The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess. 'That confidence,' says the article,'leads workers to do risky, even stupid, things at work, such as opening questionable e-mail messages or clicking on unknown Web site links.' Employee education and training doesn't help, either: '[S]ome workers slough off responsibility for even knowing about threats. Workers in larger companies don't worry about being educated. Big company employees just don't see security as their responsibility.'"

Different Interpretation

[fembots]

I read the summary as if IT Department itself is a security risk, because they have the highest level of access to everything on the network, and one wee mistake, such as failure to lock an unattended admin pc, inappropriate disposal of a backup tape, a misconfigured spam filter and whatnot can easily knock out the company for at least a few hours or cause great harms.

Having said that, it's also true that computer users protected by a competent IT Department do get spoiled and when they're out with a laptop, they can easily be infected on a dial-up. It's like kids with over-protective parents will likely to get hurt/scammed/killed more easily when they're alone.

This naturally leads to the most important discussion in the article, i.e. user education. And I believe in order to really get the message through, IT Department needs to have some sort of security drill (like fire drill, annoying but everybody gets the idea after several attempts).

For example, if a user clicked on an obvious suspicious link (spoofed by yours truly IT Department of course), his computer will be taken away for "maintenance" for a week, and he'll be assigned to another area of the office with a crappy machine. This way, not only does he suffer from his action, others will know why he is working at the "Concentration Cubicle".

Re:Different Interpretation

[easttuth]

I, too, had a different thought about the content of this article when I read the title. My supervisor and myself just had a discussion about the failings of large and cumbersome IT deparments. As with most large and cumbersome organizations, they tend to perpetuate problems to maximize IT department resource requirements. For instance, when one of our internal applications gains a new feature, but consequently develops about 15 new bugs, we have to issue a ticket for correction not for the feature that is causing the problem, not even for each individual problem that has been created by the adding of said feature, but for every single instance of any bug instancing its self on any account in the entire system. Why? Because they want to string out actually hunting down the adapters that are causing issues in the first place, and instead create a patchwork of fixes that eventually have to be refixed. It justifies their bloated existence.

Re:Different Interpretation

[techno-vampire]

This way, not only does he suffer from his action, others will know why he is working at the "Concentration Cubicle."

I had a diffrent idea. Each project, each department, each work group has a budget. If the costs of having IT clean up a mess that shouldn't have happened come out of that budget, people will get more carefull, fast. If they don't, then the ones causing the loss of funds will get marked down on their reviews, and possibly fired for their lack of cautiion and the problem goes away when they do.

Re:Different Interpretation

[Pharmboy]

Personally, I think you have to have a little more respect for the IT dept. that to just say they are there to "support" IT.

They are there to support IT as it applies to work, but not to remove spyware and viruses because employees visit porn or other inappropriate sites. Over 90% of the problems we have with computers is related to activities that are within acceptable policies, such as roaming around on the wrong kinds of sites. One of the problems is that employees see their computer as "their computer", and not a tool for their use, but owned by the company.

A perfect example: I get many complaints from employees that they do not have speakers on their computers. There is NO task we do that requires sound. The only possible use they could have for speakers is unauthorized uses of the computers.

I do everything I can to ignore other uses as long as it does not cause problems. Go ahead, read news, research stocks, as long as you are smart enough to avoid problem sites. Getting 1000 spam mails a day? Likely using company email for personal reasons, and I shouldn't have to support that.

Actions that have no consequences are often repeated. The only cure is accountability for employees who use their computers for non-business related activity.

Not if they're good.

[DrEldarion]

The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess.

This is assuming, of course, that the IT department is very lax on their users. Besides the fact that the users should be locked down to the point where irresponsible computing isn't as much of an issue, IT shouldn't be just allowing this behaviour to continue. Mindlessly cleaning things up without trying to change them is the problem, not having the department.

If you get punched in the face every time you drop a cigarrette butt on the ground, you're going to stop dropping them. The same principle should apply here. Punish the user for bad behavior, and they'll eventually stop.

Hot potato

[SuperBanana]

The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess.

After almost a decade in IT, I can tell you why there is this expectation. When it comes to fuckups, IT is usually the last guy to get the hot potato, and they're expected to save the day.

Any time a user screws up, the IT department is EXPECTED to save the day by upper management. If they don't, it is (rarely) the fault of the employee, it's the fault of the IT department for not anticipating such a need, or not being available at a second's notice, or simply not being able to save someone else's bacon. Often times we're asked to perform miracles.

It sounds reasonable, until you cross professions. Someone drives off the company driveway, crashes their car into a tree, car bursts into flames. Do the facilities people get in trouble for not ancticipating the employee who leaned over to pick up his cell phone off the floor while driving, and failed to install a nice big inflatable barrier along all the roads? Of course not. Yet IT departments are expected to back up everything known to man, expected to resurrect deleted+overwritten files...

Another example- it's 4:55pm and Fedex comes at 5 to pick up a package that is going to The Big Client. The employee has procrastinated working on it, and goes to print at 4:57. There's something wrong with the printer or their system. Guess whose emergency it becomes? Guess who gets screamed at on the telephone? Guess who gets reamed by the CEO because the package didn't go out? Usually the IT department. "Why was the printer broken? Why couldn't you fix it?"....not, "Bob, why did you wait until 5 minutes before your deadline?"

Tradeoffs

[publius_ovidius]

What the article doesn't point out is the obvious tradeoff. By having an IT department to manage risk, companies enjoy lower risk but the risk profile changes. IT departments will routinely reghost machines with unauthorized software and that, arguably, is a strong benefit. Once users lose enough data from having not backed up their machine prior to it being reghosted, they learn to backup their data more frequently or not install unauthorized software (assuming they have the administrative rights to install that software in the first place.)

What that means, generally, is that problems from unauthorized software will be minimized and other problems will be magnified in comparison. I note that the author of that article didn't offer a solution to this perceived problem.

Perhaps a deeper problem is that IT security represents, to the company, what an economist would refer to as a "public good." Your department will enjoy the protection of powerful firewalls, anti-virus protection and locked down machines even if the costs are not applied directly to your department's budget. As a result, I've frequently seen business departments argue against increased funding for IT security in the mistaken belief that the potentially negative impact on their budget will hurt them. They somehow believe that if they do not pay for the security directly, the IT department will magically find other solutions for those problems.

Only increased employee education about the dangers inherent in their actions seems to be a viable method of reducing this problem.

Blaming is a part of the problem

[msblack]

The article is rather light on backing and employs weak logic to reach its conclusions. It also relies on some tired urban legends or scapegoating when it compares sloughy users to renters:

...akin to the difference between how renters feel about their apartments and home owners think of their homes.

These tired ownership society attitudes assume actions result from a lack of vested interest while discounting the training issues.

Other postings in this topic lament being on the receiving end of the blame game. Get used to life because there are many situations where others will shift responsibility to high-horse IT employees who, like most others, are not immune to accusations. A little dialog can go far in diffusing the following situation:

[BOSS] John couldn't get that package out to big client yesterday. Why was the printer down?

[IT] Equipment sometimes fails and we put in 110% to keep things running.

[BOSS] Yeah, we lost a million-dollar contract due to your incompetence.

[IT] I suppose it would be fair to ask why Marketing waited until 4:55 to make their print out?

[BOSS] Because they were putting in 14-hour days for the past week. The printer needs to be working during times of crisis.

[IT] If it was so critical, we would have posted someone to continually monitor the printer had Marketing given us the heads up of their deadline.

If you have an unreasonable boss, run fast. These blame throwing tirades are just that.

Re:High school janitors

[E8086]

yes, that makes PERFECT sense
No, it's not ensuring their job security. The interaction with the end users/students is the least important part of their job. I don't know what else high school janitors have to do, maybe disinfect every classroom and fix broken things, there are probably enough routine daily tasks that ensure them keeping their job, no it doesn't include the occasional spilled soda and dropped candy bar. IT staff has to deal with maintaining everything the end users/common office minions doesn't even know exists. I'm sure your IT staff wouldn't like it when the testing of the latest piece of major software or windows patches or new thing that might make the standard drive image crash has to be put off because some fool of an intern in marketing got some virus and/or spyware while goofing off playing some flash game instead of doing whatever marketing does and they loose a day cleaning up after them. Don't confuse network operations(IT) with a HelpDesk or damage control. Even then their main reason for being there is to be experts on and help with the company's mission critical applications, not virus/spyware removal. What happens when someone finds a way to setup a rouge WAP? Depending on the size of the company it might take a while to find and that's possible to happen in companies with and without IT depts.

You could enforce a "the Internet is a privlage" policy. In most cases all your average employee needs is access to the corporate network for internal email and whatever resources they job requires and maybe a select few sites of affiliates/partners/clients which can be allowed by firewall. When a virus is traced back to someone, instead of giving them a slower machine and possibly lowering productivity cut off their Internet access, it will raise their productivity by removing the big distraction that is the Internet.

Re:Solution in three easy steps:

[lullabud]

That's pretty much how it works. That's how it was for me during a takeover at one of my pervious empoyers. They fired everybody except the head IT guy, at a 24 hour operation of 200 or so employees. Our systems were all getting messed up and nobody had any permissions to even defrag, scandisk or clean out temp files. We had permission to run two applications, one of which was the calculator. I nearly got fired for finding a workaround in the security in order to repair our workstations so we could get some work done. ...actually, now that I think about it, one of my workarounds involved l0pht, but that's beside the point.