IT Departments Are A Security Risk

← Back to Stories (view on slashdot.org)

IT Departments Are A Security Risk

Posted by Zonk on Thursday September 15, 2005 @09:49AM from the just-let-rome-burn-already dept.

stlhawkeye writes "An article at Information Week asks the question - is your IT department a security risk? The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess. 'That confidence,' says the article,'leads workers to do risky, even stupid, things at work, such as opening questionable e-mail messages or clicking on unknown Web site links.' Employee education and training doesn't help, either: '[S]ome workers slough off responsibility for even knowing about threats. Workers in larger companies don't worry about being educated. Big company employees just don't see security as their responsibility.'"

3 of 282 comments (clear)

Min score:

Reason:

Sort:

Different Interpretation by fembots · 2005-09-15 09:50 · Score: 4, Interesting

I read the summary as if IT Department itself is a security risk, because they have the highest level of access to everything on the network, and one wee mistake, such as failure to lock an unattended admin pc, inappropriate disposal of a backup tape, a misconfigured spam filter and whatnot can easily knock out the company for at least a few hours or cause great harms.

Having said that, it's also true that computer users protected by a competent IT Department do get spoiled and when they're out with a laptop, they can easily be infected on a dial-up. It's like kids with over-protective parents will likely to get hurt/scammed/killed more easily when they're alone.

This naturally leads to the most important discussion in the article, i.e. user education. And I believe in order to really get the message through, IT Department needs to have some sort of security drill (like fire drill, annoying but everybody gets the idea after several attempts).

For example, if a user clicked on an obvious suspicious link (spoofed by yours truly IT Department of course), his computer will be taken away for "maintenance" for a week, and he'll be assigned to another area of the office with a crappy machine. This way, not only does he suffer from his action, others will know why he is working at the "Concentration Cubicle".

--
Rock that crushes, Paper & Scissors that don't matter.
1. Re:Different Interpretation by Pharmboy · 2005-09-15 13:16 · Score: 4, Interesting
  
  Personally, I think you have to have a little more respect for the IT dept. that to just say they are there to "support" IT.
  
  They are there to support IT as it applies to work, but not to remove spyware and viruses because employees visit porn or other inappropriate sites. Over 90% of the problems we have with computers is related to activities that are within acceptable policies, such as roaming around on the wrong kinds of sites. One of the problems is that employees see their computer as "their computer", and not a tool for their use, but owned by the company.
  
  A perfect example: I get many complaints from employees that they do not have speakers on their computers. There is NO task we do that requires sound. The only possible use they could have for speakers is unauthorized uses of the computers.
  
  I do everything I can to ignore other uses as long as it does not cause problems. Go ahead, read news, research stocks, as long as you are smart enough to avoid problem sites. Getting 1000 spam mails a day? Likely using company email for personal reasons, and I shouldn't have to support that.
  
  Actions that have no consequences are often repeated. The only cure is accountability for employees who use their computers for non-business related activity.
  
  --
  Tequila: It's not just for breakfast anymore!
Hot potato by SuperBanana · 2005-09-15 10:05 · Score: 5, Interesting

The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess.
After almost a decade in IT, I can tell you why there is this expectation. When it comes to fuckups, IT is usually the last guy to get the hot potato, and they're expected to save the day.
Any time a user screws up, the IT department is EXPECTED to save the day by upper management. If they don't, it is (rarely) the fault of the employee, it's the fault of the IT department for not anticipating such a need, or not being available at a second's notice, or simply not being able to save someone else's bacon. Often times we're asked to perform miracles.
It sounds reasonable, until you cross professions. Someone drives off the company driveway, crashes their car into a tree, car bursts into flames. Do the facilities people get in trouble for not ancticipating the employee who leaned over to pick up his cell phone off the floor while driving, and failed to install a nice big inflatable barrier along all the roads? Of course not. Yet IT departments are expected to back up everything known to man, expected to resurrect deleted+overwritten files...
Another example- it's 4:55pm and Fedex comes at 5 to pick up a package that is going to The Big Client. The employee has procrastinated working on it, and goes to print at 4:57. There's something wrong with the printer or their system. Guess whose emergency it becomes? Guess who gets screamed at on the telephone? Guess who gets reamed by the CEO because the package didn't go out? Usually the IT department. "Why was the printer broken? Why couldn't you fix it?"....not, "Bob, why did you wait until 5 minutes before your deadline?"

--
Please help metamoderate.