IT Departments Are A Security Risk

stlhawkeye writes "An article at Information Week asks the question - is your IT department a security risk? The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess. 'That confidence,' says the article,'leads workers to do risky, even stupid, things at work, such as opening questionable e-mail messages or clicking on unknown Web site links.' Employee education and training doesn't help, either: '[S]ome workers slough off responsibility for even knowing about threats. Workers in larger companies don't worry about being educated. Big company employees just don't see security as their responsibility.'"

Different Interpretation

[fembots]

I read the summary as if IT Department itself is a security risk, because they have the highest level of access to everything on the network, and one wee mistake, such as failure to lock an unattended admin pc, inappropriate disposal of a backup tape, a misconfigured spam filter and whatnot can easily knock out the company for at least a few hours or cause great harms.

Having said that, it's also true that computer users protected by a competent IT Department do get spoiled and when they're out with a laptop, they can easily be infected on a dial-up. It's like kids with over-protective parents will likely to get hurt/scammed/killed more easily when they're alone.

This naturally leads to the most important discussion in the article, i.e. user education. And I believe in order to really get the message through, IT Department needs to have some sort of security drill (like fire drill, annoying but everybody gets the idea after several attempts).

For example, if a user clicked on an obvious suspicious link (spoofed by yours truly IT Department of course), his computer will be taken away for "maintenance" for a week, and he'll be assigned to another area of the office with a crappy machine. This way, not only does he suffer from his action, others will know why he is working at the "Concentration Cubicle".

Re:Different Interpretation

[NeoSkandranon]

Good punishment idea, but I'm not sure it'll catch on... What company would go for the idea of willfully lowering productivity?

Re:Different Interpretation

[wwest4]

> I read the summary as if IT Department itself is a security risk

Your instincts are right. The article underrepresents this idea. An unchecked IT staff is the single greatest security risk a company typically has. Admins who don't check backups, who are not beholden to SLAs, who see themselves as excepted from policy, who are not externally required to maintain security, or who make cavalier changes are much worse than all but the most malevolent/careless users.

User education is a good idea, but it's still largely up to IT. That's our job, because we are in the best position to do it. If we don't at the very least prominently publish a policy and make it accessible (to a reasonable degree), we can't very well expect the user to intuit and follow it.

The whole concentration cubicle/punitive response idea is just stupid (it's unethical and it wouldn't work), but your other points are good.

Re:Different Interpretation

[easttuth]

I, too, had a different thought about the content of this article when I read the title. My supervisor and myself just had a discussion about the failings of large and cumbersome IT deparments. As with most large and cumbersome organizations, they tend to perpetuate problems to maximize IT department resource requirements. For instance, when one of our internal applications gains a new feature, but consequently develops about 15 new bugs, we have to issue a ticket for correction not for the feature that is causing the problem, not even for each individual problem that has been created by the adding of said feature, but for every single instance of any bug instancing its self on any account in the entire system. Why? Because they want to string out actually hunting down the adapters that are causing issues in the first place, and instead create a patchwork of fixes that eventually have to be refixed. It justifies their bloated existence.

Re:Different Interpretation

The IT department is a risk, the same as the accounting department, or the managers, or any other department is a risk. In order to accomplish anything, people have to have enough authority to do their job, and that authority comes with a risk. That's why you hire competant professionals and you put procedures in place. That's also why you need to enforce procedures, as much as everyone hates it. Remember the accountant that bought way too much stock?

It gets worse, though. Try working at a company who doesn't have a competant IT manager, but who won't give any authority to the competant IT people, because they are afraid of what they would do with it. You get a situation where if the IT people really don't have ethics (as the management seems to think), then they can get through the security easily because it isn't done right (as can anyone else at the company). You have to take some calculated risks, and they get harder in areas where you can't evaluate the risks personally.

On the other side of things, people do not do any better about protecting their computer if they don't have IT protecting them. Most people don't know any more about computer security than they do about fruitfly morphology, so they can't try harder when they don't have a safety net. Maybe the IT department should do some 'Internet Safety' training as part of their job, but not necessarily as harshly as you suggest.

Re:Different Interpretation

[XunilOS]

I agree with the concept of "punishing" repeat offenders, but I doubt you'll get much support from department managers with your idea of issuing them a crappy machine. I would imagine you'd get more traction with department managers by informing them their employee has repeatedly subjected the company's sensitive data to risk, and should future incidents occur, this would be grounds for disciplinary action (up to and including termination). This of course depends on your company having established security policies - which are a pain in the neck to write, but worth it in the long run.

I've worked at companies where this has been effective, both for employees who were willfully irresponsible (repeatedly installing weatherbug, etc.), and those who were so unskilled as to be a complete nuisance to IT (calling every day with a question like "How do I print from Word again?").

Re:Different Interpretation

[techno-vampire]

This way, not only does he suffer from his action, others will know why he is working at the "Concentration Cubicle."

I had a diffrent idea. Each project, each department, each work group has a budget. If the costs of having IT clean up a mess that shouldn't have happened come out of that budget, people will get more carefull, fast. If they don't, then the ones causing the loss of funds will get marked down on their reviews, and possibly fired for their lack of cautiion and the problem goes away when they do.

Re:Different Interpretation

[Danger+Stevens]

For example, if a user clicked on an obvious suspicious link (spoofed by yours truly IT Department of course), his computer will be taken away for "maintenance" for a week, and he'll be assigned to another area of the office with a crappy machine. This way, not only does he suffer from his action, others will know why he is working at the "Concentration Cubicle".

Yeah, nothing helps employee morale quite like feeling as though their in a Dilbert comic strip.

Can you imagine having a friend come home from work and describing to you that they've been put at the 'Concentration Cubicle' for a week and their productivity is going to nearly disappear just because management felt they deserved being treated like a 3-year-old?

I'd quit if that happened to me. Of course, I run firefox on Linux, but it'd still piss me off.

Re:Different Interpretation

[NDPTAL85]

Wow. With your comment you sum up the real problem with IT depts. You assume you are even on the same level of importance with those you serve, let alone superior.

You are not there to "grant" the privledge of computing. You are there to "support" it. The people who do the actual work of the company are the ones who bring the money in. So if they want to open risky attachments, then fine. Harden your network to brace for that and be done with the issue.

Re:Different Interpretation

[dotgain]

While you're going to get modslapped for that as I have in the past, I'm putting my karma on the line to say I agree with you, and until most SysAdmins get this into their skull, IT folk will continue to be snubbed.

At the moment I work at a fisheries in the country. I'm the only SA within 50 miles of here. I can't afford to be stuck up like I used to be, because I'd be the only one here that thinks I'm more important. I understand I'm not, and it makes people much easier to get along with.

Re:Different Interpretation

[Pharmboy]

Personally, I think you have to have a little more respect for the IT dept. that to just say they are there to "support" IT.

They are there to support IT as it applies to work, but not to remove spyware and viruses because employees visit porn or other inappropriate sites. Over 90% of the problems we have with computers is related to activities that are within acceptable policies, such as roaming around on the wrong kinds of sites. One of the problems is that employees see their computer as "their computer", and not a tool for their use, but owned by the company.

A perfect example: I get many complaints from employees that they do not have speakers on their computers. There is NO task we do that requires sound. The only possible use they could have for speakers is unauthorized uses of the computers.

I do everything I can to ignore other uses as long as it does not cause problems. Go ahead, read news, research stocks, as long as you are smart enough to avoid problem sites. Getting 1000 spam mails a day? Likely using company email for personal reasons, and I shouldn't have to support that.

Actions that have no consequences are often repeated. The only cure is accountability for employees who use their computers for non-business related activity.

Re:Different Interpretation

[QuestorTapes]

> You are not there to "grant" the privledge of computing. You are there to "support" it.

Good point, although you stated it more bluntly than I would have.

> The people who do the actual work of the company are the ones who bring the money in.

True, although sometimes this is the IT staff.

> So if they want to open risky attachments, then fine. Harden your network to brace for that and be done with the issue.

The management at most firms I know would not agree with this. It's not enough to harden the network. Users who open risky attachments can lose data from their local drives which is difficult or impossible to replace. Even if the network prevents infection, a great deal of damage can still be done.

I feel that IT support and IT security decision making need to be separate functions. Support people are not the right ones to restrict the actions of the staff, but sometimes it is necessary to do so. And sometimes the people who need to be restricted are the IT support staff.

Re:Different Interpretation

[BVis]

What company would go for the idea of willfully lowering productivity?

What company would stand for allowing their employees to waste company time and resources on Weatherbug and porn and warez?

Yes, it would negatively impact productivity in the short term, but in the long term, one of two things would happen: Either the "repeat offenders" would change their behavior, or their productivity would be reduced to the point where they became redundant.

Of course, this is in the fantasy world where IT workers are actually allowed to do their jobs (keeping the computers running smoothly and enhancing profitability for the company by improving efficiency), and where anyone in management can see beyond this quarter.

Re:Different Interpretation

[drdewm]

Try to do your "real work" without us. This is why there is such a back lash agaisnt IT people from the non-ITs: you know you can't work without us anymore. There was a day when IT wasn't necessary but these days try to sell something without and EDI infrastructure or without email or powerpoint presentations etc. You hate us because you are threatened by us. The old boys club is threatened by those that are beyond its understanding and control. The world has changed either get technical or get out of the way. I gotta go blog something.. I'm out!

Re:Different Interpretation

[NateTech]

I've worked in IT quite a long time, and I daily see scenarios where the non-computerized version of whatever task I'm doing was much more efficient and intelligent than the computerized "modern" version.

Case in point - labeling a package for shipping. If you can learn to print letters reasonably, this task takes about 10 seconds.

I currently have to dig ten web pages deep into a PeopleSoft application at my employer to even create a mailing label for an RMA, and the application doesn't even have the correct address for my customer's locations in it. I have to click "Override" and put in the shipping address manually because the customer has separate billing and shipping addresses.

Then since there's been no attempt at integration to our separate trouble ticketing system, I have to enter all that information again into another database.

Ultimately, it takes about 1/2 hour to create an RMA in our computerized systems.

In contrast, it takes about 10 seconds to write a mailing label and another 3 minutes to walk to the inventory cage, check off an inventory sheet by hand when removing product and hand it to the guy who packages stuff... if we could do that.

At some divisions of the company, I'm sure automated database driven ordering for just-in-time arrival of parts and things is helpful, but our division makes things that have to be put together long in advance and kept in stock. There's virtually no benefit to real-time asset tracking - no manager above our division level is looking at real-time numbers anyway. They're lucky if they look at the inventory numbers monthly. Thus, a monthly typed-up report in a spreadsheet would be just as effective as a multi-hundred-thousand dollar real-time system that wastes employees time to the tune of about a 10:1 ratio against a pen and company logo mailing label sticker.

Seriously, the world needs to look more carefully at some of our computerized processes and see if they're really as good as we think they are.

There are cases where a blank piece of paper, a pen, and a filing cabinet with a decent organization scheme would be faster -- but we want "computerized" because it's supposedly better.

Re:Different Interpretation

[surprise_audit]

One things "computerised" ought (yeah, I know...) to get you is trackability. In your RMA situation, if management wants to they should be able to create reports that show which supplier gets the most returns, which could lead to a change of suppliers. Or is there a seasonal-related variation is the numbers, or whatever.

OK, so that may not be a good example, but I'm sure there are others. If the data is "computerised", it should be easier to sort and sift and graph than if it's on paper.

And it sounds like your Peoplesoft app sucks - it ought to be able to handle multiple addresses and you shouldn't have to dig through 10 pages to get there.

Re:Different Interpretation

[Alioth]

In supporting computing, you have to make sure the computing environment is going to work for a company. This means the IT department DOES need to implement some kind of control - allowing everyone to download and install anything they like is NOT supporting computing, it'll end up destroying productivity (through the machines getting pwned). To effectively support business computing needs, you also have to inject some realism into the sometimes bizarre requests of staff. Yes - you *must* accomodate them in furthering the business through their computing assets - but that is NOT done by just letting anything go.

I found a book on the mezzanine level just outside our server room the other day.

"Businessman's Guide to Microcomputers" - by Deloitte Haskins + Sells (an accountancy firm). This book was printed in 1984. First edition 1982. It says this at the end in the section "Common first-time buyer pitfalls":

"We've got a lot of problems, but we're getting a computer"
This buyer is asking for trouble...there is a new "old adage": "Don't computerise a mess...clean it up first". It is important to understand that a computer can't help you to do things you don't understand, and it won't make decisions for you. All it does is process a lot of information very quickly...exactly as it is told to do it. To be of any real use, a computer requires a disciplined approach and an organized mind.

This lesson from 21 years ago *still hasn't been learned* in many quarters (even some IT departments don't appear to understand this). Allow users of the corporate network do whatever they want with liberal abandon, and...well...the entire business pays the consequences later.

Re:Different Interpretation

[tbannist]

That's smart, fire the arrogant guys who work for you, and hire the even more arrogant guys to work for you on contract.

Everything I've ever seen or heard has suggested that outsourcing IT departments is on the dumbest moves any company can make. You simply can not afford to make your company entirely dependent on another company.

High school janitors

[uits]

This is the same reasoning we used to use in high school when we'd drop our wrappers on the floor, spill soda and walk away...they get paid to clean it up, we're doing them a FAVOR by ensuring their job security.

Re:High school janitors

[Neil+Blender]

I'm almost 30 and I still use that justification when I leave my shit in a Wendy's parking lot after lunch.

You should be ashamed of yourself. Wendy's food is terrible.

Re:High school janitors

[mrchaotica]

You know, generally speaking fast-food employees don't pick up trash in the parking lot, unless it gets really bad. What you're actually doing is letting the next rain wash the litter into the nearest creek. In other words, you're a littering asshole.

If you must do something like that, at least leave the trash inside on your table so that the employees are certain to dispose of it properly.

Re:High school janitors

[E8086]

yes, that makes PERFECT sense
No, it's not ensuring their job security. The interaction with the end users/students is the least important part of their job. I don't know what else high school janitors have to do, maybe disinfect every classroom and fix broken things, there are probably enough routine daily tasks that ensure them keeping their job, no it doesn't include the occasional spilled soda and dropped candy bar. IT staff has to deal with maintaining everything the end users/common office minions doesn't even know exists. I'm sure your IT staff wouldn't like it when the testing of the latest piece of major software or windows patches or new thing that might make the standard drive image crash has to be put off because some fool of an intern in marketing got some virus and/or spyware while goofing off playing some flash game instead of doing whatever marketing does and they loose a day cleaning up after them. Don't confuse network operations(IT) with a HelpDesk or damage control. Even then their main reason for being there is to be experts on and help with the company's mission critical applications, not virus/spyware removal. What happens when someone finds a way to setup a rouge WAP? Depending on the size of the company it might take a while to find and that's possible to happen in companies with and without IT depts.

You could enforce a "the Internet is a privlage" policy. In most cases all your average employee needs is access to the corporate network for internal email and whatever resources they job requires and maybe a select few sites of affiliates/partners/clients which can be allowed by firewall. When a virus is traced back to someone, instead of giving them a slower machine and possibly lowering productivity cut off their Internet access, it will raise their productivity by removing the big distraction that is the Internet.

IT Department itself the danger

[Sascha+J.]

It was not rare in the past, that the IT guys themselves were the thread to the company.

Quite often they served the company's bandwith for warez exchange, as we all know... ;)

Ah yes,

The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess.

I see... just as the Fire Department is a fire risk, hospitals increase reckless activity, having a police force causes crime, etc.

How brilliant the author of this article must be to draw such an unusual conclusion!

Re:Ah yes,

[ndansmith]

I see... just as the Fire Department is a fire risk . . .

Of course it is. What do you think firemen are supposed to do? Put out fires? It's pointless now that every house is fireproofed!

</Fahrenheit 451>

Solution in three easy steps:

[Anonymous+Crowhead]

1. Get rid of IT department
2. Let company infrastructure rot
3. Rehire IT department

Sounds like a management decision to me.

Re:Solution in three easy steps:

[networkBoy]

No.
He's the PHB, Dogbert is the consultant that talked him into doing it.
.
.
.
.
And the outsourcing agency for the new IT staff.
-nB

Re:Solution in three easy steps:

[lullabud]

That's pretty much how it works. That's how it was for me during a takeover at one of my pervious empoyers. They fired everybody except the head IT guy, at a 24 hour operation of 200 or so employees. Our systems were all getting messed up and nobody had any permissions to even defrag, scandisk or clean out temp files. We had permission to run two applications, one of which was the calculator. I nearly got fired for finding a workaround in the security in order to repair our workstations so we could get some work done. ...actually, now that I think about it, one of my workarounds involved l0pht, but that's beside the point.

Not if they're good.

[DrEldarion]

The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess.

This is assuming, of course, that the IT department is very lax on their users. Besides the fact that the users should be locked down to the point where irresponsible computing isn't as much of an issue, IT shouldn't be just allowing this behaviour to continue. Mindlessly cleaning things up without trying to change them is the problem, not having the department.

If you get punched in the face every time you drop a cigarrette butt on the ground, you're going to stop dropping them. The same principle should apply here. Punish the user for bad behavior, and they'll eventually stop.

Re:Not if they're good.

[vertinox]

Punish the user for bad behavior, and they'll eventually stop.

That's hard to do if the user is your supervisor, upper managment, or your customer. It's not like you can tell the Excec-VP of marketing "No! Don't do that!" and smack their hand when they are set on doing it and demand they be allowed to do what they want to do. The better solution is to give a good argument against it and then try to avoid getting blamed when their continued actions.

Sucks to work for a company like that, but sometimes you have to roll with what you have.

Re:Not if they're good.

[Valiss]

If you get punched in the face every time you drop a cigarrette butt on the ground, you're going to stop dropping them. The same principle should apply here.

Thanks a million. I just got fired for punching a co-worker in the face for not understanding the inner workings of sendmail.

Re:Not if they're good.

[Kelson]

Punching them in the face is probably against company policy.

Maybe zapping them with a spray bottle?

This wouldn't explain ...

[subsoniq]

Why Home users get into so much trouble. I don't think it's because they feel they can ignore security due to the existance of an IT department to clean up their mess, I feel it's because they try to think of this technology like any other technology, a blackbox that you push a few buttons and turn a few dials, something that is completely harmless.

Our company has consequences for stupid user action, up to and including employment termination, so uers are "motivated" to learn the dangers that might confront them and how to avoid them.

Re:This wouldn't explain ...

[petermgreen]

well gas ovens are pretty simple really and at least here in britan they add a stinky substance to the gas so you can smell leaks. also obvious danger of bodiliy harm makes people take more care.

steam irons are again pretty simple and again have an obvious danger of bodily harm so again people take more care.

cars have a mandatory training and licensing programme in all civilised countries i know of.

the problem with computers is people view them like a vcr or a phone, something where they can't really do any harm through ignorance. Sadly in the days of the e-mail instant messaging online shopping etc this simply isn't the case.

IT departments are dangerous if arrogant

[Shivetya]

I can't count how many times each DAY that I hear and/or see someone in IT doing something they would scream at a "user" for doing.

It is plain and simple arrogance. From trash talking users to mocking auditors I see it all. Best yet is all the work done to keep users from doing something bad is amazingly and commoningly thwarted on the machines of the same IT staff.

In charge of security administation, most likely to bend the rules too.

Yeah there are good IT departments and I am not say where I work doesn't have a good one. Parts are very good but it isn't hard to find rules bent somewhere at any one time. If not for someone whose title begins with a "C" then its for someone in favor.

It doesn't help when you have so many different system types that you cannot find a single auditing company capable of covering them all. Of course it doesn't help when you don't take advantage of the opportunity SOX did provide and instead keep business as usual, just documented.

Re:IT departments are dangerous if arrogant

[TekPolitik]

I can't count how many times each DAY that I hear and/or see someone in IT doing something they would scream at a "user" for doing.

You have not given us any examples, but this may well be perfectly rational behaviour. The rules for when it is an is not safe to do a particular thing can be quite complex, and it is not reasonable to expect an end user to be familiar with all of them - they have another job they need to worry about. For example, an IT department will often tell people never to open attachments, but the real rule is much more complex, and IT people are much more likely to know when it is and is not safe to open an attachment.

Re:IT departments are dangerous if arrogant

[v1]

Some of that is justifiable. You don't give a 4 year old a set of sharp scissors to cut his construction paper, you give him a set of those stamped safety scissors. But then YOU aren't going to use those safety scissors are you? Of course not.

Here I sit, drinking a tall glass of milk, setting it down 5" from my laptop. I would never advise an 'average user' to do this, because average users are klutzes and when they dump a can of pepsi into their laptop's keyboard I'll be the one that gets to fix it, so I will say "no food around computers" and proceed to pour another tall glass of milk.

It's not hypocracy, it's "who is responsible enough for the privledge". And with no background history to go on, all users are by default considered klutzes and do not have food or drink anywhere near the computer.

Now if a user sees an IT person drinking a cup of coffee at their console they sometimes will flip out and cry foul, "why can't I do that?" But then again little kids will whine equally when they see their older brother with the "real scissors" and they get handed the chrome safeties. Doesn't mean the little tike should get the sharp ones now does it? It's not being unfair, it's just a matter of risk management.

It's also not a matter of playing favorites. A good friend of mine is a klutz. It's very rare to spend 20 minutes around him and NOT see him drop something. I would not advise him to eat around his computer either.

Anyway, enough about eating around computers, the concept extends to any other risky behavior around computers really, in much the same way.

Sounds reasonable

[maromig]

Any time a groups gets into the role of over-functioning for another, the other group starts to under-function. This isn't limited to IT and corporations. It would explain, among other things, why the poorest and most dependent folks in NO, were not more proactive with their own future in that disaster, instead waiting on the Government and charities to over-function for them. That choice was much more risky for them than just getting out of town earlier like many others decided to do on their own.

It's true, I suppose

[Otter]

I'm definitely motivated to stay out of trouble in order to keep them the hell out of my computer...

This has nothing to do with the parent

[jim_v2000]

But I think someone just need to point out that STUPID people are a security risk everywhere they are present.

Just wonderful...

[kex]

from TFA:
"One in three (34 percent) of U.S. users and more than one in four of those in Germany (29 percent) and Japan (28 percent) admitted they clicked on suspicious links or opened iffy e-mail because the computer equipment wasn't theirs."

Now I have to figure out which 4 out of the 12 guys on my mobile force need their laptop replaced with an etch-a-sketch. Time to send out some ebay spoof emails and see who responds...

Hot potato

[SuperBanana]

The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess.

After almost a decade in IT, I can tell you why there is this expectation. When it comes to fuckups, IT is usually the last guy to get the hot potato, and they're expected to save the day.

Any time a user screws up, the IT department is EXPECTED to save the day by upper management. If they don't, it is (rarely) the fault of the employee, it's the fault of the IT department for not anticipating such a need, or not being available at a second's notice, or simply not being able to save someone else's bacon. Often times we're asked to perform miracles.

It sounds reasonable, until you cross professions. Someone drives off the company driveway, crashes their car into a tree, car bursts into flames. Do the facilities people get in trouble for not ancticipating the employee who leaned over to pick up his cell phone off the floor while driving, and failed to install a nice big inflatable barrier along all the roads? Of course not. Yet IT departments are expected to back up everything known to man, expected to resurrect deleted+overwritten files...

Another example- it's 4:55pm and Fedex comes at 5 to pick up a package that is going to The Big Client. The employee has procrastinated working on it, and goes to print at 4:57. There's something wrong with the printer or their system. Guess whose emergency it becomes? Guess who gets screamed at on the telephone? Guess who gets reamed by the CEO because the package didn't go out? Usually the IT department. "Why was the printer broken? Why couldn't you fix it?"....not, "Bob, why did you wait until 5 minutes before your deadline?"

Re:Hot potato

[Fulcrum+of+Evil]

Guess who gets reamed by the CEO because the package didn't go out? Usually the IT department. "Why was the printer broken? Why couldn't you fix it?"....not, "Bob, why did you wait until 5 minutes before your deadline?"

Sure boss, I fixed the printer. It took 15 minutes because I had to go downstairs to get more toner. Bob missed the pickup, but oddly enough, wasn't around to trot the package down to the fedex shop that was open until 6.

This couldn't be any more obvious

[kianu7]

The IT department is clearly a security risk, let me explain. The IT folks have the ability to hit all the dangerous smut portals (without getting logged) and are thus are more likely to download the root kits that are often served up at some of the shadier bukkake portals (I wouldn't know...wink, wink) and thus infect the corporate lan. Management knows taking bigger risks could lead to bigger rewards. So, that's why they keep those smut-hungry IT workers around.

Tradeoffs

[publius_ovidius]

What the article doesn't point out is the obvious tradeoff. By having an IT department to manage risk, companies enjoy lower risk but the risk profile changes. IT departments will routinely reghost machines with unauthorized software and that, arguably, is a strong benefit. Once users lose enough data from having not backed up their machine prior to it being reghosted, they learn to backup their data more frequently or not install unauthorized software (assuming they have the administrative rights to install that software in the first place.)

What that means, generally, is that problems from unauthorized software will be minimized and other problems will be magnified in comparison. I note that the author of that article didn't offer a solution to this perceived problem.

Perhaps a deeper problem is that IT security represents, to the company, what an economist would refer to as a "public good." Your department will enjoy the protection of powerful firewalls, anti-virus protection and locked down machines even if the costs are not applied directly to your department's budget. As a result, I've frequently seen business departments argue against increased funding for IT security in the mistaken belief that the potentially negative impact on their budget will hurt them. They somehow believe that if they do not pay for the security directly, the IT department will magically find other solutions for those problems.

Only increased employee education about the dangers inherent in their actions seems to be a viable method of reducing this problem.

Re:Windows Only policy is a problem

[winkydink]

What color is the sky on your planet?

I won't rehash the reasons why Linux isn't ready for the desktop.

Migrating to an all Apple strategy would hurt the bottom line as the hw is more expensive and there are a limited amount of biz apps that run on them, necessitataing the need for a big virtulization project on top of the new hw.

Yes, Windows has a whole heap of shortcomings and everybody loves to hate it. For the corporate world's desktops, its the only game in town.

Wallet Inspector

"It's like kids with over-protective parents will likely to get hurt/scammed/killed more easily when they're alone."

Homer: Guys, believe me, I didn't mean to get you expelled.
Nerd 3: Oh, don't worry, Mr. Simpson, we can take care of ourselves.
Snake appears, holding out his hand]
Snake: Uh, wallet inspector.
Nerd 1: Oh, here ya go. [All three give him their wallets] I believe
that's all in order.
Snake: Huh ho! I can't _believe_ that worked.
Homer: [realization dawning] Heyy...that's not the wallet inspector!

http://www.snpp.com/episodes/1F02.html

Only one way to fix it:

Education and consequences.

Nobody takes security seriously because regular staff thinks that the IT guys are there to clean up the messes when they occur. What they don't understand is that the IT department is not there to be a janitor or babysitter. The IT department is there to provide the information infrastructure to enable the company and to ensure the company's information security. That doesn't necessarily include end users.

My personal philosophy is that end-users should be punished severely for security breaches. Sure the IT department will fix the problem, but the person who clicked on the link (or opened the email) needs to pay a price for their behaviour, otherwise they will continue to do it. Nearly every company has an IT AUP. Nearly every company says that you can be disciplined, including termination of employement, for violating the policy. Yet I have never worked at a company where day-to-day infractions (even those with security risks associated with them) were punished. Sure, every once in awhile someone gets fired for surfing porn, or when their misuse of the system affects their ability to work (goofing off online for hours), but who gets fired for forwarding chain letters with flash animations in them? Nobody.

This absolutely has to change. If you had a receptionist who let random strangers in to wander the halls of your building she would be disciplined and probably sacked. If you have a receptionist who forwards chain letters, clicks on suspicious links, downloads spyware and causes virus infections, the odds are nothing will happen to her.

Company officers think Information Security means securing the company with a firewall and looking out for hack attempts. They still don't take Information Security seriously, and until they do the rank-and-file won't either.

Education alone is not going to do it. Education that is reinforced with consequences will.

Depends on Enforcement

[sstamps]

I worked as a contractor to a large soft drink company some years back, and their corporate culture made it hard to fire most employees. However, they took improper computer / network use seriously and included it in their corporate code of conduct. Violating the CoC was about the only way you as an employee there could get fired, and they followed it. They even had security walk an upper management person out the door the day his little escapades took down a large segment of the network in his building.

Thus, as far as I have seen, it is all about not only having a good IT department, but having good company policies and proper enforcement to support it.

maybe if the company is ran by idiots

[chillzatl]

. As someone who supports several large companies networks, I've seen both kinds. Some companies just don't care. They think that network problems due to careless, idiot users is just par for the course. They will just continue to pay to have you constantly fix problems that wouldn't be problems if they fired a person or two for screwing things up. Then you have companies that set limits from the get go. The network crew isn't there to pick up after them. In fact they are there to tell the boss who's causing the problems. After a few people get smacked around by the boss, you'd be surprised at how quickly clueless users become caring, semi-responsible users. The only downside is that they call a lot more often asking ridiculous questions. But I guess it's better than the alternative.

Re:maybe if the company is ran by idiots

[FatMacDaddy]

I must be one of the few people who work in a secure environment. We have security rules drilled into our heads routinely, and to a lot of us they're just common sense. Yes, there are people in IT who install unauthorized shareware, but if anyone introduces a virus to the network, whether in IT or not, it's easy to find out where it originated. That person is then made a spectacle of (only as a side effect) by the response staff as they lock down the person's workspace and haul away their PC like it was radioactive. Management, as you might imagine, finds little humor in these events. An occurence like this is a reflection on management (as far as upper management is concerned), and the risk and lost productivity can cost the boss his or her job. Thus, anyone who does this more than once probably doesn't have much network access after that, assuming they even have a job at that point. (Violating the security policy can be cause for termination, and it is enforced.) Just my two cents.

Laziness

[Nuttles1]

At first I was going to post a comment that maybe workers are to busy to worry about security so they leave it to IT to fix problems, but I thought about it and came to the conclusion if somone really is too busy then they won't have time for SPAM type email or for surfing.

So, I thought about it some more and came to the conclusion that it may simply be because of laziness. I work in a group of 12 programmers, 6 of which are either naturally tech savy or keep up with tech. These people have no issues with viruses and stuff like that. The others, the programmers who have been programming the same programming language, in the same industry, in the same one or two programs for 10+ years(granted there are some programmers with 10+ experiance and are not like this but most of them are) haven't read a technical book or done anything but the absolute bare mininum to get by for years and years. If 50% of programmers who SHOULD know better are too lazy to know exactly what they are doing when they are at a computer, what hope do IT departments have with people who think that there job is strictly whatever (accounting, being a doctor, being a pharmacist, etc) and the computers are for IT/Geeks. Too many people do not take pride in everything they do. They are content with being good enough. They are Lazy.

Personal Accountability Is Just No Longer Stylish

[ScentCone]

The problem is that the behavioral culture at work is exactly the same as it is everywhere else. People can't stand hardship, complexity, accountability, or even just the discomfort that comes from having to think for a moment. It shows up in how they drive, how they bank, how they prepare for bad weather, how they marry, how they study for exams, and how they surf. And to the extent that the largess of our economy allows for it to keep happening, it just keeps happening.

The crazy thing is that most of the reasons I've seen for stupid-IT-end-users getting the axe (the ultimate behavior modification) have nothing to do with their poor security-related behavior, but rather for the things they've done that might offend someone. You know:

"Well, of course we'll reset your cracked password again. But when you get back to the field office, be sure to tell Bob that he's probably going to lose his job over that whole Carmen Electra desktop wallpaper thing."

One problem with your fix...

[pentalive]

AC says: "My personal philosophy is that end-users should be punished severely for security breaches. "

I have found, working in various IT departments, that if your users know they will get whacked for having caught a virus, they will never report the virus until it is hurting them worse than IT will. In that case, the virus has spread through other machines and the mess is bigger to clean up.

Re:If your supposed to keep the printer running

[networkBoy]

Failures of the environment should be about as common as power failures.

Except:
Users load the wrong paper in the wrong tray, mix up the color stix in the Phasor, etc. To be sure you could hire extra heads to do these things proactivly (sp?), but you don't have the budget for that. If you rely on the users to notify you then you are back where you started. Usually the user who thinks they know what they are doing are the ones who don't and fsck it up.

In the case of the power line, the system protects its self from the stupid people (or at least ensures they only try once).
-nB

Blaming is a part of the problem

[msblack]

The article is rather light on backing and employs weak logic to reach its conclusions. It also relies on some tired urban legends or scapegoating when it compares sloughy users to renters:

...akin to the difference between how renters feel about their apartments and home owners think of their homes.

These tired ownership society attitudes assume actions result from a lack of vested interest while discounting the training issues.

Other postings in this topic lament being on the receiving end of the blame game. Get used to life because there are many situations where others will shift responsibility to high-horse IT employees who, like most others, are not immune to accusations. A little dialog can go far in diffusing the following situation:

[BOSS] John couldn't get that package out to big client yesterday. Why was the printer down?

[IT] Equipment sometimes fails and we put in 110% to keep things running.

[BOSS] Yeah, we lost a million-dollar contract due to your incompetence.

[IT] I suppose it would be fair to ask why Marketing waited until 4:55 to make their print out?

[BOSS] Because they were putting in 14-hour days for the past week. The printer needs to be working during times of crisis.

[IT] If it was so critical, we would have posted someone to continually monitor the printer had Marketing given us the heads up of their deadline.

If you have an unreasonable boss, run fast. These blame throwing tirades are just that.

IT Departments securing thier own jobs

[Bryansix]

Not only are IT Departments a serious security risk for both the reasons that they give a false sense of security to the end user and that a simple mistake on thier side can have grave consequences. They are also mostly around in an attempt at securing thier own jobs.

It seems to me that 90% of all desktop maintenance could be performed by an informed end user. Instead IT locks down everyones computers and forces the end user to submit a request for help to do the most simple mundane things. These inlcude things like oh I don't know, installing the latest version of Java, Defraging your own hard drive, or changing the power management settings on your laptop. This is so demeaning to the end user that most give up and go with the flow. That is they see education in computers as useless since they can just pick up the phone and ask IT. So the very tactic that IT uses to secure thier jobs ensures that most end users are totally computer illiterate and therefore creates a serious security problem.

Re:IT Departments securing thier own jobs

[VoiceOfDarkness]

90% of maintenance could be done by users but 90% of it would never get done because the average user could care less about system maintenance. Most IT staff are not trying to create job security by locking users out of doing things they are capable of. Most of us are trying to save our jobs by preventing users from horking the rest of the enterprise.

Anyone who has ever had to lock down a Windows system to prevent malicious behaviour knows it isn't easy. Until XP you had to be full administrator just to renew your IP address. You still have to be full admin to run a defrag. 99% of users should never even have power user rights - not to mention admin rights - because they do not understand the consequences of their actions.

Many of us spend days on end tweaking registry settings, file permissions and security policies to make the good stuff work seamlessly for (ungrateful) end users while blocking as much of the bad stuff as possible. Our reward? Being bashed at every opportunity because a user couldn't load the latest version of Flash when he surfed to Jib-Jab.

Re:Windows Only policy is a problem

Any IT Dept that adamantly refuses to incorporate, or even switch to, an alternate OS for purely selfish reasons is certainly a problem.

When upper management asks for recommendations and the same old, tired, arguments for sticking with a Windows Only environment are trotted out by the MCSE's in the basement, then IT is doing the company a disservice.

Bah! You're being ridiculous. The single largest factor in determining which platform a company should use for any given purpose is "what platform does our desired application run on." If the market leading product for your particular purpose only runs on Windows, you're going to run Windows. If your application runs on Linux, you'll run Linux. This is the single biggest hole in the vision of certain OSS zealots (and I do prefer OSS software, just not necessarily Linux 100% of the time).

Here's a perfect example. I was involved with a startup about 2 years ago that was going to be a specialty surgical hospital. This was to be a small (less than 50 bed) hospital that focused on a very narrow branch of specialty medicene. The IT department varied from 3-5 staff members over time, including a director. For this hospital we needed the following systems:

Lab information system
Radiology information system
PACS system
Transcription system
Registration system
Patient accounting system
Clinical documentation system
Clinical ordering system
Medical record system
CPT coding system
Surgery scheduling system
Surgery documentation system
Nurse call system
Security and surveillance system
Numerous database and instrument interface systems
Email system
File and print sharing
Intranet site
Directory services
General office systems
Decision support systems
Database analysis systems
Computerized faxing system
And so on...

Newsflash! This hospital's IT infrastructure could only have been built on a Windows platform. Now I won't say that Windows is the only OS that has all of these sorts of applications available (especially since two of those systems run on AIX servers, though with Windows clients). But if there are OSS, Linux, or Debian versions of these applications they certainly are not best of breed, and they absolutely do not have the support of a large company that is a leader in the healthcare software field. And with a IT department of 5 people or less, they were hardly in a position to "roll their own."

That's probably a more eloquent response than a troll post like yours deserves, but I think that it's important that people realize that it's not the "bunch of MCSEs in the basement" that drives purchase decisions for large companies.

Only if they are hosting UT2K servers

[hawks5999]

I have to say, I've been in more than a few IT departments that use their position and their management's ignorance to host everything from game servers to MP3 servers. Ordinary users can't even think of attempting these activities. It's great to be in IT!!! :D

Re:Bad Analogy.

[An+Onerous+Coward]

No it isn't.

It's more like saying, "If traffic lights are installed, some motorists will behave dangerously while attempting to get through them." If an IT department is making even a minimal honest effort, then it's likely that their efforts are making the computer infrastructure more secure and reliable than they would otherwise be, even if the users are more lax as a result.

Now, you could be in a situation where management "tasks" (stupid verb) the IT department with "making everything secure", and then shoots down every suggestion as inconvenient. At that point, people behave insecurely because the existence of the IT department provides a false sense of security.

At that point, management really should be asking itself whether or not their ineffectual IT department is making things less secure.

Re:If your supposed to keep the printer running

[mungtor]

Utility grade computing is easy as hell if you have the money for it. Who are you kidding?

It's when you get the IT department squeezed into leasing crap copier/printers (for example) that the infrastructure starts to degrade. And you can only have 1, because 2 is a waste compared to flying sales-douches all over the country to wine and dine people who won't buy anything anyway. And suddenly all the execs need $5k Vaio laptops so they look good at meetings, but IT can't get $2000/year to send the backup tapes to offsite storage.

All that said, utility grade users would still be great compared to most of them.

Same thesis, different department

[soft_guy]

It is like saying that having a QA department lowers your quality. Sometimes true. Sometimes not.

I agree

[schoolisdeath]

On your arrogance comment. I was on the IT side of things for around 8 years in 4 different places (including a university) where I was, or was a part of the IT department. We all did things that we would have reimaged a user's computer for. On a daily basis. With one of my co-workers at the univ., I legitimately reimaged (it had died from misuse) more times than any user. wow. Now I'm IT Audit at a big 4 firm... and I see that the IT departments I worked at were actually good. I hear a lot of the arrogance of which you speak. Not to brag or anything, but even the newbies over here are incredibly intelligent and, generally speaking, know more than the senior vps, cios, it directors, etc combined. I think the arrogance is a defense mechanism in most cases for having, in ascending order: a) a crappy job i) crappy mgmt ii) crappy IT security policies b) crappy attitude c) lack of knowledge that's my $.02 But most IT people are better, now that I deal with almost exclusively Fortune 500 people. Which, should be the opposite if arrogance is a result of actual knowledge or success as many people think. btw, I think all the big-4 have enough expertise and experience to audit all your systems, but I may be wrong. ---- my username has a long history, don't asque

Re:Windows Only policy is a problem

[stor]

I won't rehash the reasons why Linux isn't ready for the desktop.

It depends on the business.

I used to work for an ISP that utilised XTerminals w/4M Ram for all departments, including customer service. The apps ran on FreeBSD.

It was a DE of: fvwm (although I ended up moving to olvwm), exmh and Netscape.

Sure it wasn't the prettiest thing in the world and it's not appropriate under all conditions but for the role we had it doing it was fine. No-one complained: they could do their work.

One of the great things was these machines had no hard drive. That alone reduced maintenance costs significantly and when a machine crashed you could reboot with almost reckless abandon.

The XTerminals with centralised server setup is a great demonstration of the elegance and manageability of X and Unix. Having all client data and applications on one server that can be scanned for viruses, backed up, etc. is wonderful. Being able to roll out (or roll back) new versions of applications to all clients by changing one symlink is powerful.

I know you can do similar things with Citrix but I only really hear horror stories about that product and it costs more than most businesses can afford. MS Terminal Services is pretty good but it still feels like an add-on product/hack like VNC rather than a network-transparent desktop environment.

Cheers
Stor

IT needs more balls

[VoiceOfDarkness]

Both sides of this debate are correct. Simply having protection does not create the behaviour you are trying to protect against. BUT, users will get lazy and complacent the more they are coddled. The lazier and more complacent they become the louder they whine and complain. Management looks at the situation and decides IT needs to do more with le$$. It's a downward spiral from there.

We can't rely on acceptable use policies with no teeth. And we can't expect C-level executives to make the rules and enforce them. At the risk of being flamed into oblivion let me say, IT needs to grow a pair and lay down the law.

We need to take a long hard look at the business and figure out what THEIR pain is if the users screw up. You can talk about spyware and anti-virus until you're blue in the face and most non-techies will just glaze over. But, when you tell a sales exec that a "million dollar proposal" could be delayed by several hours because his numb-nut sales reps are infested with spam-bots, ears perk up - FAST.

As painful as it may be, we have to think outside the tech realm. We have to understand what the business thinks is important and play off that. Once you start putting dollar values on consequences - in terms the business can understand - funding and policies with teeth are right around the corner. Or, we can sit and whine like users.

Before anyone says I must be management or an MBA weener let me say Wrong. I've fought this battle for years from the help desk all the way up to network engineering. The only way to stop the madness is to think about it from the business' perspective and put the costs in terms they can understand.

It's the other way around

[Gary+Destruction]

It's not the IT department that's the problem. It's the higher ranking people that whine because their workstations lock after five minutes or because they have to enter their user name in after logging off or rebooting. But those people are so important that if they whine enough, they end up getting their way. Those are also the people that bitch because someone messed with their computer while they were away.

There are two effective ways to deal with this:

[dgh]

Set the rules, anyone who violates them gets fired (maybe three strikes or something for minor things).

Or, you fix your own mess. IT will get to it when they have time.

I've been employed in different companies where one or the other method was practiced, they both work.

Logic?

[OBeardedOne]

Quick! Get rid of the hospitals, they are making us sick!

Yes it is their responsability

[cactux]

The big big company where I am currently working forces me to use windows. I requested Linux, and it would be better for my job: I am either doing email or connected to unix machines (Tru64, HP-UX and Sun).

But no, the corporate 'standard' is windows xp.
That's irony when you know they sell hardware with Linux pre-installed :-/

They forces me to use windows, the security responsability is theirs.

Re:Windows Only policy is a problem

[stor]

Everybody used FreeBSD and Xterms? What accounting package did your finance team use?

Good point. We had an MIS department that produced reports in Perl. They were on Xterminals too.

Sales and Marketing were in a completely different office (in another suburb) and they probably used Windows but I don't know, sorry.

The ISP was a manufacturer of XTerminals before becoming an ISP, hence the unix-centric focus and plenty of spare XTerminals.

I'm sure there must have been a Windows box with Quicken somewhere though. There always is, even if just for payroll... that's why I think you're right in pulling me up on it.

As I stated in my previous post this setup isn't appropriate under *all* conditions. I can't see a graphic design firm or advertising agency taking on this sort of setup any time soon for instance. My point is that this setup is very workable under a very good number of conditions, more than people think apparently.

Cheers
Stor