Slashdot Mirror
The Enemy Within the Firewall
Mel Tom writes to tell us The Age is reporting that many businesses are now considering employees a much bigger threat to security than most external threats. From the article: "With email and instant messaging proving increasingly popular and devices such as laptop computers, mobile phones and USB storage devices more commonplace in the office, the opportunities for workplace crime are growing."
If companies treat their employees like criminals, they are likely to get what they expect.
Man, you really need that seminar!
Isn't this covered in Security 101 -- most instances of stealing information, destroying data, etc. occurs from the inside (or ex-employees).
This has been why email attachments are regularly stripped and IM is forbidden here. Still, we get stuff because people bring it in on CDs, infected PDA's in dock, etc.
A feeling of having made the same mistake before: Deja Foobar
to get rid of all the employees.
Seriously, how can anyone get any work done with all this security risks running around?
I work for a consulting firm that provides all types of HR services. We get data on client personnel that includes EVERYTHING: SSN's, addresses, spouse info, dates of birth, EVERYTHING
The article mentions scarce spending on addressing internal security threats: im looking around my office, and there is just nothing you can do! Even if you completely lock down desktops (the latest image was set up as to disable all HW and SW installs), and I personally had an admin pw within days!), there is still email. And loaner laptops.
I hear that this type of complete personal information fetches $10 per record amongst certain unscrupulous Brooklyn programmers.
Come think of it... where DID i put all my floppies?
Contemplate the marvel that is existence, and rejoice that you are able to do so.
While businesses should take reasonable precautions to secure their networks, data and physical assets, I've found that the employer/employee relationship is beginning to evolve into one of suspicion and severe distrust that is fostering resentment, anger and inhibiting productivity. No one wants to work anywhere they are treated as being one step removed from a hardened criminal from the moment they walk in the door on their first day. There is a fine line between taking sensible precautions to prevent opportunistic breaches of security, and indulging in paranoia and broadcasting an implicit belief through actions and words that everyone there is just waiting for the right moment to take the entire company for all they're worth.
Employees are no longer being thought of as possible risks, but confirmed dangers that must be actively confronted every step of the way. Proactive security measures enacted in a passive way that does not interfere with day to day work in an unreasonable fashion, or impact the work environment in a disproportionate manner are giving way to managers that are far more focused on what their employees are deliberately doing wrong, than on the actual work at hand.
By creating this atmosphere of hostility and distrust which cannot be overcome by proving oneself through hard work and carrying out duties in a thoughtful, honest way, managers are encouraging high-turnover, poor communication between workers, poor attitudes towards work and customers, and an atmosphere of little or no respect for the organization which anyone can tell you is the first step towards encouraging workplace crime.
I like how they lump everyone into one big category. Unless you've been living in a cave for the past 5 years, it should be obvious who the biggest crooks are. Hint, they all have 3-letter acronyms for titles.
If you're in a situation where you really have to worry that much about your own people, doesn't that just show that management has failed to provide a good working environment and create loyalty?
The only effect of security is going to be that the few loyal employees you have get pissed and turn against you too. And for anyone who has done only a little bit of hacking, we all know useful security is way too expensive... You'd need to audit virtually everything that's going on on a server and there are only a few government agencies that can efford that much money.
So why not do something more useful with the money? Free coke for employees on tuesdays. Or fix that darn pothole at the entrance of the parking lot. Put a few plants up in the office... That is all money better spent than on some lack luster, process bound security measures...
Peter.
If an employee wants to screw up his employer, there are 1001 ways to do that-- with or without involving IT staff or systems.
There is nothing new here except that more and more companies are treating their employees as disposable temps that can be dropped simply to increase share price. It is not surprising that in today's enviroments employees are more likely to feel they need revenge.
Security lapses happen for a reason. Instead of attempting the sisphian task of "locking down" all systems, perhaps companies should address the root causes that incentivise their employees to behave badly.
If you can't trust employees, who is securing the network for you? As a network admin I have full access to a company's full network within a week of starting a new job, otherwise I am unable to do my job.
There will always be a level of trust needed between employers and employees since even if the president of a company can set up the security for a company they would still have to trust someone to enforce it, and that person would have the ability to abuse.
See the contradiction? Why should an employee care about something they don't own?
Given that the majority of companies wouldn't hesistate to act against the employees interest if there is any suggestion of compromosing the companies's interest, why should an employee protect a typical company's interest apart from doing the bare minimum required to preserve their own job?
Companies are just repaing the "benefits" of years of treating employees as "production units".
Yes I'm posting as an AC because I don't want any potential employers to know that I don't really care about their company apart from the fact it pays me money.
(I'm not advocating slacking off in life or being bitter and twisted. Just make sure the things you dedicate yourself to are either THINGS YOU OWN or a charitable cause that you think is worthy. Working for someone else's profit is what you do to make money so you can do do what really matters. Don't dedicate your life to making profit for someone else.)