IT Departments Are A Security Risk

stlhawkeye writes "An article at Information Week asks the question - is your IT department a security risk? The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess. 'That confidence,' says the article,'leads workers to do risky, even stupid, things at work, such as opening questionable e-mail messages or clicking on unknown Web site links.' Employee education and training doesn't help, either: '[S]ome workers slough off responsibility for even knowing about threats. Workers in larger companies don't worry about being educated. Big company employees just don't see security as their responsibility.'"

Different Interpretation

[fembots]

I read the summary as if IT Department itself is a security risk, because they have the highest level of access to everything on the network, and one wee mistake, such as failure to lock an unattended admin pc, inappropriate disposal of a backup tape, a misconfigured spam filter and whatnot can easily knock out the company for at least a few hours or cause great harms.

Having said that, it's also true that computer users protected by a competent IT Department do get spoiled and when they're out with a laptop, they can easily be infected on a dial-up. It's like kids with over-protective parents will likely to get hurt/scammed/killed more easily when they're alone.

This naturally leads to the most important discussion in the article, i.e. user education. And I believe in order to really get the message through, IT Department needs to have some sort of security drill (like fire drill, annoying but everybody gets the idea after several attempts).

For example, if a user clicked on an obvious suspicious link (spoofed by yours truly IT Department of course), his computer will be taken away for "maintenance" for a week, and he'll be assigned to another area of the office with a crappy machine. This way, not only does he suffer from his action, others will know why he is working at the "Concentration Cubicle".

Re:Different Interpretation

[wwest4]

> I read the summary as if IT Department itself is a security risk

Your instincts are right. The article underrepresents this idea. An unchecked IT staff is the single greatest security risk a company typically has. Admins who don't check backups, who are not beholden to SLAs, who see themselves as excepted from policy, who are not externally required to maintain security, or who make cavalier changes are much worse than all but the most malevolent/careless users.

User education is a good idea, but it's still largely up to IT. That's our job, because we are in the best position to do it. If we don't at the very least prominently publish a policy and make it accessible (to a reasonable degree), we can't very well expect the user to intuit and follow it.

The whole concentration cubicle/punitive response idea is just stupid (it's unethical and it wouldn't work), but your other points are good.

Re:Different Interpretation

[NDPTAL85]

Wow. With your comment you sum up the real problem with IT depts. You assume you are even on the same level of importance with those you serve, let alone superior.

You are not there to "grant" the privledge of computing. You are there to "support" it. The people who do the actual work of the company are the ones who bring the money in. So if they want to open risky attachments, then fine. Harden your network to brace for that and be done with the issue.

Re:Different Interpretation

[Pharmboy]

Personally, I think you have to have a little more respect for the IT dept. that to just say they are there to "support" IT.

They are there to support IT as it applies to work, but not to remove spyware and viruses because employees visit porn or other inappropriate sites. Over 90% of the problems we have with computers is related to activities that are within acceptable policies, such as roaming around on the wrong kinds of sites. One of the problems is that employees see their computer as "their computer", and not a tool for their use, but owned by the company.

A perfect example: I get many complaints from employees that they do not have speakers on their computers. There is NO task we do that requires sound. The only possible use they could have for speakers is unauthorized uses of the computers.

I do everything I can to ignore other uses as long as it does not cause problems. Go ahead, read news, research stocks, as long as you are smart enough to avoid problem sites. Getting 1000 spam mails a day? Likely using company email for personal reasons, and I shouldn't have to support that.

Actions that have no consequences are often repeated. The only cure is accountability for employees who use their computers for non-business related activity.

Re:Different Interpretation

[QuestorTapes]

> You are not there to "grant" the privledge of computing. You are there to "support" it.

Good point, although you stated it more bluntly than I would have.

> The people who do the actual work of the company are the ones who bring the money in.

True, although sometimes this is the IT staff.

> So if they want to open risky attachments, then fine. Harden your network to brace for that and be done with the issue.

The management at most firms I know would not agree with this. It's not enough to harden the network. Users who open risky attachments can lose data from their local drives which is difficult or impossible to replace. Even if the network prevents infection, a great deal of damage can still be done.

I feel that IT support and IT security decision making need to be separate functions. Support people are not the right ones to restrict the actions of the staff, but sometimes it is necessary to do so. And sometimes the people who need to be restricted are the IT support staff.

Re:Different Interpretation

[BVis]

What company would go for the idea of willfully lowering productivity?

What company would stand for allowing their employees to waste company time and resources on Weatherbug and porn and warez?

Yes, it would negatively impact productivity in the short term, but in the long term, one of two things would happen: Either the "repeat offenders" would change their behavior, or their productivity would be reduced to the point where they became redundant.

Of course, this is in the fantasy world where IT workers are actually allowed to do their jobs (keeping the computers running smoothly and enhancing profitability for the company by improving efficiency), and where anyone in management can see beyond this quarter.

Solution in three easy steps:

[Anonymous+Crowhead]

1. Get rid of IT department
2. Let company infrastructure rot
3. Rehire IT department

Sounds like a management decision to me.

This wouldn't explain ...

[subsoniq]

Why Home users get into so much trouble. I don't think it's because they feel they can ignore security due to the existance of an IT department to clean up their mess, I feel it's because they try to think of this technology like any other technology, a blackbox that you push a few buttons and turn a few dials, something that is completely harmless.

Our company has consequences for stupid user action, up to and including employment termination, so uers are "motivated" to learn the dangers that might confront them and how to avoid them.

IT departments are dangerous if arrogant

[Shivetya]

I can't count how many times each DAY that I hear and/or see someone in IT doing something they would scream at a "user" for doing.

It is plain and simple arrogance. From trash talking users to mocking auditors I see it all. Best yet is all the work done to keep users from doing something bad is amazingly and commoningly thwarted on the machines of the same IT staff.

In charge of security administation, most likely to bend the rules too.

Yeah there are good IT departments and I am not say where I work doesn't have a good one. Parts are very good but it isn't hard to find rules bent somewhere at any one time. If not for someone whose title begins with a "C" then its for someone in favor.

It doesn't help when you have so many different system types that you cannot find a single auditing company capable of covering them all. Of course it doesn't help when you don't take advantage of the opportunity SOX did provide and instead keep business as usual, just documented.

Sounds reasonable

[maromig]

Any time a groups gets into the role of over-functioning for another, the other group starts to under-function. This isn't limited to IT and corporations. It would explain, among other things, why the poorest and most dependent folks in NO, were not more proactive with their own future in that disaster, instead waiting on the Government and charities to over-function for them. That choice was much more risky for them than just getting out of town earlier like many others decided to do on their own.

This has nothing to do with the parent

[jim_v2000]

But I think someone just need to point out that STUPID people are a security risk everywhere they are present.

Hot potato

[SuperBanana]

The thesis of the article is that rank-and-file employees will tend to engage in dangerous/insecure/irresponsible computing and internet behavior if they know that there's an IT department to clean up the mess.

After almost a decade in IT, I can tell you why there is this expectation. When it comes to fuckups, IT is usually the last guy to get the hot potato, and they're expected to save the day.

Any time a user screws up, the IT department is EXPECTED to save the day by upper management. If they don't, it is (rarely) the fault of the employee, it's the fault of the IT department for not anticipating such a need, or not being available at a second's notice, or simply not being able to save someone else's bacon. Often times we're asked to perform miracles.

It sounds reasonable, until you cross professions. Someone drives off the company driveway, crashes their car into a tree, car bursts into flames. Do the facilities people get in trouble for not ancticipating the employee who leaned over to pick up his cell phone off the floor while driving, and failed to install a nice big inflatable barrier along all the roads? Of course not. Yet IT departments are expected to back up everything known to man, expected to resurrect deleted+overwritten files...

Another example- it's 4:55pm and Fedex comes at 5 to pick up a package that is going to The Big Client. The employee has procrastinated working on it, and goes to print at 4:57. There's something wrong with the printer or their system. Guess whose emergency it becomes? Guess who gets screamed at on the telephone? Guess who gets reamed by the CEO because the package didn't go out? Usually the IT department. "Why was the printer broken? Why couldn't you fix it?"....not, "Bob, why did you wait until 5 minutes before your deadline?"

Only one way to fix it:

Education and consequences.

Nobody takes security seriously because regular staff thinks that the IT guys are there to clean up the messes when they occur. What they don't understand is that the IT department is not there to be a janitor or babysitter. The IT department is there to provide the information infrastructure to enable the company and to ensure the company's information security. That doesn't necessarily include end users.

My personal philosophy is that end-users should be punished severely for security breaches. Sure the IT department will fix the problem, but the person who clicked on the link (or opened the email) needs to pay a price for their behaviour, otherwise they will continue to do it. Nearly every company has an IT AUP. Nearly every company says that you can be disciplined, including termination of employement, for violating the policy. Yet I have never worked at a company where day-to-day infractions (even those with security risks associated with them) were punished. Sure, every once in awhile someone gets fired for surfing porn, or when their misuse of the system affects their ability to work (goofing off online for hours), but who gets fired for forwarding chain letters with flash animations in them? Nobody.

This absolutely has to change. If you had a receptionist who let random strangers in to wander the halls of your building she would be disciplined and probably sacked. If you have a receptionist who forwards chain letters, clicks on suspicious links, downloads spyware and causes virus infections, the odds are nothing will happen to her.

Company officers think Information Security means securing the company with a firewall and looking out for hack attempts. They still don't take Information Security seriously, and until they do the rank-and-file won't either.

Education alone is not going to do it. Education that is reinforced with consequences will.

Laziness

[Nuttles1]

At first I was going to post a comment that maybe workers are to busy to worry about security so they leave it to IT to fix problems, but I thought about it and came to the conclusion if somone really is too busy then they won't have time for SPAM type email or for surfing.

So, I thought about it some more and came to the conclusion that it may simply be because of laziness. I work in a group of 12 programmers, 6 of which are either naturally tech savy or keep up with tech. These people have no issues with viruses and stuff like that. The others, the programmers who have been programming the same programming language, in the same industry, in the same one or two programs for 10+ years(granted there are some programmers with 10+ experiance and are not like this but most of them are) haven't read a technical book or done anything but the absolute bare mininum to get by for years and years. If 50% of programmers who SHOULD know better are too lazy to know exactly what they are doing when they are at a computer, what hope do IT departments have with people who think that there job is strictly whatever (accounting, being a doctor, being a pharmacist, etc) and the computers are for IT/Geeks. Too many people do not take pride in everything they do. They are content with being good enough. They are Lazy.

Re:IT Departments securing thier own jobs

[VoiceOfDarkness]

90% of maintenance could be done by users but 90% of it would never get done because the average user could care less about system maintenance. Most IT staff are not trying to create job security by locking users out of doing things they are capable of. Most of us are trying to save our jobs by preventing users from horking the rest of the enterprise.

Anyone who has ever had to lock down a Windows system to prevent malicious behaviour knows it isn't easy. Until XP you had to be full administrator just to renew your IP address. You still have to be full admin to run a defrag. 99% of users should never even have power user rights - not to mention admin rights - because they do not understand the consequences of their actions.

Many of us spend days on end tweaking registry settings, file permissions and security policies to make the good stuff work seamlessly for (ungrateful) end users while blocking as much of the bad stuff as possible. Our reward? Being bashed at every opportunity because a user couldn't load the latest version of Flash when he surfed to Jib-Jab.