One-Third of Employees Violate Company IT Policies

BaCa writes with a link indicating that a survey of white collar US workers shows that something like a third of all employees break IT policies. Of those, almost a sixth actually used P2P technologies from their work PCs. Overall, the survey indicates workers aren't overly concerned about any kind of security: "The telephone survey found that 65% of white-collar professionals are either not very concerned or not concerned at all about their privacy when using a workplace computer. A surprising 63% are not very concerned or are not concerned at all about the security of their information while at work. Additionally, most employees have the misconception that these behaviors pose little to no risk to their companies."

I don't believe it

[stoolpigeon]

I'm guessing a more accurate headline would be: One-Third of Employees Admit to Violating Company IT Policies
 
The rest just didn't let on - because there is no way the number is that low. Or they didn't outright lie, they just didn't even know they had violated company policies.

Re:I don't believe it

[Otter]

Also, if I'd been surveyed as to whether checking webmail is "risky", I'd also have said that it isn't. It's certainly not "risky" on the level that downloading and running some P2P application is; it's not even dangerous on the level that requiring 20 different, complex, constantly changed passwords is.

Re:I don't believe it

Believe it. IT breaks the most policies because they don't get in trouble and then blame non-IT personnel for doing what they do. I know I used to do it as IT. So don't blame employees. I wouldn't be surprised to see numbers on IT employees and have it show 99% break those policies they themselves enforce!

Re:I don't believe it

[dnormant]

What's sad where I work is it's the helpdesk and desktop administrators that are the worst. We have Websense to block the inappropriate web sites. Then they learned they could VPN in and that basically goes around Websense. Now they're tying up my firewall AND my VPN router.

I already block all p2p, now I'm going to have to block music and video sites too. I don't care what is appropriate or what isn't, I'm tired of my boss asking me why the Interweb is slow.

It sucks being the bad guy but I like my job.

Re:I don't believe it

The rest just didn't let on - because there is no way the number is that low. Or they didn't outright lie, they just didn't even know they had violated company policies.

Some of us just cover our tracks very well.

Re:I don't believe it

[ewhenn]

it's not even dangerous on the level that requiring 20 different, complex, constantly changed passwords is.

Personally, I find that this constand password actually *lowers* security. I would like to present myself as an example. We have to change our passwords to something with 3 of 4 items (CAPS,lowercase,numbers, and Special characters). We are required to change our password monthly. So instead of having a nice secure password like "jd%2MdEP!7rqA" that I can remember say... once a year.. I just do something like "Aotepad1"..next month "Botepad1"...next month "Cotepad1" so I can remember the damn thing. Each application requires it's own password, so requireing the average user to constantly change them is going to make them go with poor password choices instead of strong ones.

Sometimes too much "security" is weaker security.

Re:I don't believe it

[Nefarious+Wheel]

"It's easier to apologise than to get permission"

-- From the late Rear Admiral Grace L. Hopper, founder of commercial computing and lead developer of the original COmmon Business-Oriented Language compiler.

Sometimes you have to lead.

Re:I don't believe it

[Architect_sasyr]

Couldn't agree more. As part of a development team that works in the same room as the IT team, I sometimes think about what they are doing on a daily basis, and the rules they enforce for the rest of us mere mortals seem completely pointless.

That's because you are, as you say, mere mortals ;)

I often need third-party libraries when I'm developing my software so I just get them off the Internet (sometimes virus checking them if I remember).

And this is why I said you're a mere mortal. As a sysadmin it is imperitive that I not be forced to abide by the same restrictions as those underneath me. I must be able to run security audits against my network, I must be permitted to surf 'hacking' sites to be sure my anti virus scan's correctly and I must be able to download software as necessary. It is a part of my job, just like surfing pornography is the job of the digital market researcher I work with (now that's a cushy job, he's paid to stay on current trends - I'm an admin at a media and design company). However downloading libraries from some unknown source because they say they will do what you need is not necessarily safe, as you should well know. If your admin's are anything like mine they wouldn't care if you downloaded software from source forge, but if you download software from Mom's Friendly DLL Company that is a different story.

If I followed the rules to the letter, I wouldn't download the libraries. But I don't follow them, so by using this software that nobody is "approving" I'm breaking the rules.

Yes, technically you are, but that probably won't be a problem until you try and force that third party software onto production servers, which in my experience developers do after they have downloaded 3rd party libraries no one else has heard of. Yes this is why we have development machines, but it also falls to the IT team to be the ones to make the software work because of this library.

But when did our security manager review the source code for Windows XP to make sure it's OK?

Well hopefully he didn't implement XP as soon as it came out... at least waiting for a service pack and locking it down with Anti Virus and a decent firewall... if he didn't then that's probably a bad security manager you got there.

Just for the record, I've been a developer, a hell desker and a sysadmin, so I know what the battlefield is like on both sides. No doubt others do to.

Re:I don't believe it

[GreyyGuy]

Exactly. Between email retention policies, internet usage, and everything else, I would not be surprised if over 90% of people have violated them. Check your yahoo email at work? Violated company policy. Plugged in a USB drive or your iPod? Probably violated company policy. Installed non-approved software? Anything from IM software to Open Office to spyware checker to p2p software. Violated company policy. Sent your friend/spouse/significant other/family member and email from your work account? Violated company policy. Viewed something risque online at work? Even if not intended, that probably violated company policy.

Silly to think of things that trivial can count, but there are reasonable reasons for them. The problem is that they are all general and not focused on if the person intended to violate them. I would not be surprised if one third of people knowingly violated their company policy.

Re:I don't believe it

[mrchaotica]

I often need third-party libraries when I'm developing my software so I just get them off the Internet (sometimes virus checking them if I remember).

In this case, virus checking is the least of your worries. If you're including those third-party libraries in your software, you need to be getting them approved by your legal department to make sure you're not creating huge copyright violations.

Re:I don't believe it

[COMON$]

hmmm, what about a fear of the unknown, the place I used to work posted a message saying the administrator has been alerted of the activity, nothing breeds fear like 1984 :)

Re:I don't believe it

Who will be fixing your machine when you break it by installing some random third party software: you, or IT?

That's what I thought. I can't imagine why IT might want to exercise some oversight over what you're installing.

Re:I don't believe it

You raise an interesting point. I am astounded by all of this oversight and IT policy-making, while licensing gets virtually no attention. Worse, the IT policy-makers seem to think they understand the implications of all this legal gobbledy-gook. Since we all know they have no clue, everyone just clicks through -- accepting whatever terms are bundled into the EULA. Then again, you have to wonder about the ability of non-officer employees to enter contracts on behalf of a corporation. My authorization (and $1.75) gets you a medium coffee at Dunkin Donuts. Maybe it doesn't matter because the shrink-wrap click authorization is such a dubious concept in the first place.

You would think that the gods of IT would get a few standard EULAs reviewed in-depth, and ensure that nothing is installed with an unapproved license. Instead, they simply buy commercial products and assume that it's OK to install them. Where are the internal audit people? SOX? Helloooooo!

I can think of nothing that would accelerate the adoption of open source faster than mandatory legal review of license terms and conditions. The review process for GPL, BSD, etc. for internal development should be like rolling through a toll booth with a speed pass on your dashboard. Anything else, and it's like waiting for customs to ask a bunch of questions and search your luggage for non-conforming usage. The legal dept. should be sifting through every license (making sure the terms have not changed since the last upgrade) -- holding a series of meetings to compare the expected usage to the authorization granted by the license.

It reminds me of a Star Trek episode where a software glitch causes a space probe to kill anything that is not perfect. Capt. Kirk points out the space probe's own flaws and tells it to proceed with its programming. Luckily, he beams back to the ship before the thing self-destructs. Maybe it's time to tell legal and IT that if these policies are truly worth having, they are worth enforcing to the letter of the law. Let's see where that goes!

You know, if we threw the proprietary vendors out of corporate IT, there would be standardization. As an added bonus, the legal and finance departments would be no longer involved in the procurement process. There would also be fewer choices, but traditional corporate IT is sticking us with mostly bad choices anyway.

of course

[Vanden]

I think most of us could've told them that without all of the silly research.

Seriously though, for most people, unless they know there's a risk of being fired if they don't comply, chances are that they're not going to care about corporate IT policies. Most companies don't actual police them, so what benefit do they have in following them?

While people should be responsible enough to do what their job requires, it falls back on the corporate IT folks to make sure their policies are enforced.

Re:of course

[Aetuneo]

So most people realize, on some level, that the purpose of many of these rules is to make the people administering the network feel safer? For example, if you a company is sued by the RIAA/MPAA on the basis of someone on their network downloading music/movies illegally, they would have the protection of that being against their policies, so they can either fire that person for violating the policies, or pass on the lawsuit (for example, suing that person in turn). Thus, if you know what you are doing, it doesn't matter if it is against the rules unless attention is drawn to it - and unless it is harmful, the worst that would happen is probably a slap on the wrist, and perhaps not even that.

Unreasonable Policies

[bazald]

Some policies just aren't reasonable or well thought out. This article is clearly blowing the issue out of perspective by not separating out different behaviors.

Checking personal e-mail from a work computer-- 73% of those who have done this at work believe it is not risky, despite the fact that they could unknowingly download a virus that infects the corporate network. Wow, really? I'll stick to those corporate virus-free e-mail accounts from now on. Are they also completely free of spam? That would be nice too.

Re:Unreasonable Policies

[WK2]

Some policies just aren't reasonable or well thought out.

Exactly. Most corporate policy lists are like U.S. laws. Excessively numerous and impossible to follow. If you tried, you might get fired not completing your work at the speed of your co-workers. When I was young and naive, a manager actually told me that I can't follow all the policies, and that I just had to do my best to obey what I could, and not get caught for the rest.

I've heard it said that corporate policy exists so that management can point blame wherever they want when something goes wrong, because everybody is breaking the rules. That would be in common with U.S. laws.

Re:What they don't say

[ruewan]

I agree with you totally. There have been so many times that stupid policies made it difficult for me to get my work done. It is often easier to find ways around the security than to go through the proper channels. I had to do that a lot in my last job.

It's a cat and mouse game with IT

[rrohbeck]

Blacklists=>Proxies
Traffic filters=>TOR
etc. etc.

But the real problems are still caused by moron employees who double click on an attachment they got via email. Just happened again last week. The problem isn't people who don't adhere to policies, it's employees who don't have a clue.

And what's wrong with reading Slashdot while you're slacking off with a coffee for a couple of minutes? I'd consider an employer a slave driver if they have a problem with that.

Re:What they don't say

[moderatorrater]

What I've noticed more of is that there's the "Company IT Policy" (tm) and the actual acceptable use policy. On paper you're not allowed to put any personal files on the computer, browse any non-work-related sites, or use a messenger client. In reality, you can bring in your own music or any work-related programs as long as you take the flak for illegal things, browse sites but only for a reasonable amount of time, and the same for messenger.

Less legal mumbo-jumbo in employee agreements

[failedlogic]

I recall before a lot of companies had terms of network use, a few employees where I worked had been downloading games from warez servers because the company network was significantly faster than anything available at the time. I knew even the network admin was violating this. I very much felt like reporting it, but as an entry-level employee on their first job, 1) I would feel guilty with getting someone fired; 2) I didn't feel like testing management by reporting this and see myself get fired; 3) I didn't really understand the policy and didn't know what to do.

I'll make clear that I wouldn't let this go today.

My point in all this is, some people starting at the company may be aware of activities the admins themselves or other staff are performing which management may not be. My first job was relatively simple and well paid, I have had no beefs with the company. But our Acceptable-use policy book was some 20-30 pages long. This was about 10 years ago. I would rather have had a 1 page document, sign at bottom: I will not download virsues or warez, share company information or NDAs to outsiders, etc on company time. If I know another employee is doing so, please report anonymously to. Violators will be disciplined or fired.

Really, does it really need to be any longer than this or more complicated? It simplifies reporting and makes the issue and repercussions clear. Get the 20 page document too if you must. But the one-pager should be clear to *all* employees regardless of law degree. But help make it clear too, that if you mistype a domain and get a porn site, you shouldn't have to hide it and feel like someone is about to can you (e.g. whitehouse.com vs whitehouse.gov).

Let people browse!

[$criptah]

If you are reading this thread at work, you're probably violating the policy as well. Has anybody actually read the employee handbooks given out on your first day of work? I have never worked for a company where IT stuff did not violate policies to a greater degree. Sure, soccer mom / accountant Jane may look at the news site or shop at gap.com during work hours, but Billy, the director or IT, can run as many P2P applications from the QA lab. I have constantly heard IT engineers bragging about yet another wonderful Quake 3 lunch. It is nothing wrong to have some fun at work, but ordering extra-beefy hardware only for specific individuals so they can play Quake may not sit right with a CFO. What about all that licensed software that magically ends up being installed at home? The about box reads that it is licensed to Some Company while it is being used for personal purposes. Things like this happen all the time. Hell, I had a co-worker who did not mind browsing pr0n and personals online at work. He even bragged about it. Noticed how I stated things in the past tense :) Stupid policies make people break the laws. Just like teenagers love liquoring up despite the fact that it is illegal, white collar professionals like their news sites and forums. There is nothing you can do about it. In fact, if I were a boss, I would encourage people to relax and take breaks once in a while. I seriously see no harm if Johnny-work-all-night-to-meet-deadline takes 10 minutes and reads his Slashdot. As long as work is getting done, who gives a shit about what people do when they have a spare minute.

Re:most employees...

[ivan256]

You really have no grasp on reality, do you?

You think virus protection protects your net work? You missed the entire point. Then you followed it up with a broken car analogy.

Perhaps you should try understanding what you do for a living instead of doing whatever some book and a whole bunch of marketing literature told you to do.

I check in on my machines and make sure they are working. I protect my networks, and make sure that if they *do* get infected they're not going to infect *your* network.

Judging by your comment, on the other hand, you merely install security-blanket style security software on your systems and think that makes you "responsible".

Users have no remorse because they are given zero responsibility. Why should they care if they fuck up your machines? You secured them. They're protected. They're both "safe" because of the protections, and completely disallowed from making any responsible decisions about their own machines, so they take zero responsibility.

You, sir, are the cause of your own user-troubles.

Re:What they don't say

[Kjella]

It's really quite simple - a company is in it for the money. IT policies are there because they save money by not dealing with all sorts of crap. As long as you get your work done and don't create trouble for your coworkers, IT support, the legal department or anyone else most people are willing to overlook things. Note I said overlook, not back down. Don't challenge them or blatantly disregard them, or they have to come down hard on you to make sure everyone knows who has the final say. You have to convince them you're not what I'd call "dangerously competent" - skilled enough to mess around a lot, clueless enough to fuck it all up.

Re:Lol

[vux984]

Not every IT person is gutsy enough to stand up and say "no fucking way".

Not every IT person should. IT is a service industry. They need to make sure they are providing the service that is actually desired.

Downloading torrents is a pig on bandwidth, but unless bandwidth is cramped. So what?

Downloading from external email accounts may carry greater virus risks, but they are going to pick up the messages when they get the laptop home anyway, so the machine comes in infected tomorrow instead of this afternoon. Or they'll pick it up through some webmail account somewhere that you haven't blocked. Or they'll hook up their laptop to their cellphone/pda.

Some IT departments should say "no fucking way". But in a lot of them IT is supposed to simply be providing a secure reliable functional network. That doesn't necessarily mean locking it it down so hard that its reliability reaches 5 9s, and its so secure even the users can't get in half the time, while functionality is at the bare minimum specified in an SLA, while IT pats itself on the back for a job well done.

Meanwhile half the staff have resorted to personal laptops/pdas and cellular data plans because they can't get email from important customers through the company mail server, and they can't access web content they need through the company network without jumping through stupid hoops each and every time... and IT just stands around saying "no fucking way".

For every PHB manager drawing up pointless re-org charts and misusing buzzwords, and marketing moron promsing perpetual motion machines and obsessing over what color they should be, there is an IT-admin somewhere very effectively ensuring his network is as hostile, unfriendly, and as unusable as possible to the people trying to use it.

Like I said, Some IT departments should say "no fucking way". Some environments and situations DO demand that. But many of them say that a hell of a lot more often than is remotely justifiable.