One-Third of Employees Violate Company IT Policies

BaCa writes with a link indicating that a survey of white collar US workers shows that something like a third of all employees break IT policies. Of those, almost a sixth actually used P2P technologies from their work PCs. Overall, the survey indicates workers aren't overly concerned about any kind of security: "The telephone survey found that 65% of white-collar professionals are either not very concerned or not concerned at all about their privacy when using a workplace computer. A surprising 63% are not very concerned or are not concerned at all about the security of their information while at work. Additionally, most employees have the misconception that these behaviors pose little to no risk to their companies."

I don't believe it

[stoolpigeon]

I'm guessing a more accurate headline would be: One-Third of Employees Admit to Violating Company IT Policies
 
The rest just didn't let on - because there is no way the number is that low. Or they didn't outright lie, they just didn't even know they had violated company policies.

Re:I don't believe it

Hell, I'd be happy if 1/3 of our employees could even name all of the IT policies they were breaking.

Re:I don't believe it

[vertinox]

Or they didn't outright lie, they just didn't even know they had violated company policies.

I don't know how many times a conversation went like this:

Me: Whats your user name?
User: Its u2343 and my password is "bobspassword"!
Me: Wait! ARRRRRGH! Don't tell me that! I'm not supposed to know your password, I just wanted your user name!

Re:I don't believe it

Me: Wait! ARRRRRGH! Don't tell me that! I'm not supposed to know your password, I just wanted your user name!


Me: Sigh. Please change your password. Please don't share your password with anyone, including IT staff.
User: Ok, now I changed it to 'bobspassword2'.
Me: ARRRRG!

Re:I don't believe it

[33MHz]

Couldn't agree more. As part of a development team that works in the same room as the IT team, I sometimes think about what they are doing on a daily basis, and the rules they enforce for the rest of us mere mortals seem completely pointless.

I often need third-party libraries when I'm developing my software so I just get them off the Internet (sometimes virus checking them if I remember). If I followed the rules to the letter, I wouldn't download the libraries. But I don't follow them, so by using this software that nobody is "approving" I'm breaking the rules.

But when did our security manager review the source code for Windows XP to make sure it's OK?

Re:I don't believe it

[ewhenn]

it's not even dangerous on the level that requiring 20 different, complex, constantly changed passwords is.

Personally, I find that this constand password actually *lowers* security. I would like to present myself as an example. We have to change our passwords to something with 3 of 4 items (CAPS,lowercase,numbers, and Special characters). We are required to change our password monthly. So instead of having a nice secure password like "jd%2MdEP!7rqA" that I can remember say... once a year.. I just do something like "Aotepad1"..next month "Botepad1"...next month "Cotepad1" so I can remember the damn thing. Each application requires it's own password, so requireing the average user to constantly change them is going to make them go with poor password choices instead of strong ones.

Sometimes too much "security" is weaker security.

Re:I don't believe it

[GreyyGuy]

Exactly. Between email retention policies, internet usage, and everything else, I would not be surprised if over 90% of people have violated them. Check your yahoo email at work? Violated company policy. Plugged in a USB drive or your iPod? Probably violated company policy. Installed non-approved software? Anything from IM software to Open Office to spyware checker to p2p software. Violated company policy. Sent your friend/spouse/significant other/family member and email from your work account? Violated company policy. Viewed something risque online at work? Even if not intended, that probably violated company policy.

Silly to think of things that trivial can count, but there are reasonable reasons for them. The problem is that they are all general and not focused on if the person intended to violate them. I would not be surprised if one third of people knowingly violated their company policy.

Re:I don't believe it

[mrchaotica]

I often need third-party libraries when I'm developing my software so I just get them off the Internet (sometimes virus checking them if I remember).

In this case, virus checking is the least of your worries. If you're including those third-party libraries in your software, you need to be getting them approved by your legal department to make sure you're not creating huge copyright violations.

Re:I don't believe it

[COMON$]

hmmm, what about a fear of the unknown, the place I used to work posted a message saying the administrator has been alerted of the activity, nothing breeds fear like 1984 :)

Re:I don't believe it

Considering they hire people that can't spell "third" ... ;-)

Lol

[jayhawk88]

Of those, almost a sixth actually used P2P technologies from their work PCs.

In other news, one sixth of one third of all IT admins are stupid enough to not block P2P traffic on their networks.

Re:Lol

[QuantumRiff]

And what percentage of the people the called actually responded to the survey? I would kick my users if I found they took time out of the day to talk on the phone about how they break policy (and security) over the phone to a stranger doing a "survey".

Re:Lol

[thegrassyknowl]

In other news, one sixth of one third of all IT admins are stupid enough to not block P2P traffic on their networks.

It's quite hard to block p2p traffic explicitly while leaving other protocols open. P2P traffic moves in a number of arbitrary ports and uses a lot of protocols. New protocols are coming and going regularly. L7 packet filtering helps with the common protocols but if they are also using encryption you've got bugger all chance of blocking them totally.

I was playing cat and mouse for a while. Block Kazaa and they move to Emule. Block that and they move to torrent. Block that and they start using gnutella. The game goes on and on.

The only way I've found to reliably block all p2p and other things without major hassles in the firewall is to block everything, install a proxy server for HTTP, HTTPS and FTP and then only punch out ports from trusted machines and with good valid reasons from people (and a paper trail for those reasons). eg, the PBX can talk to our upstream SIP provider, the mail server can speak port 25 to the outside world but nobody else can and my desktop PC has rsync access to our ISPs file mirror.

I have procedures in place to get things like torrents because they occasionally have legitimate uses. I have one machine that only I have a user account on. If someone thinks a torrent is useful and related to work they can ask me to get that torrent for them. It keeps them from running clients on their own PCs and still allows them to get files if needed. Half the time they just want torrents of files like Linux distros that are available on our ISP's mirror at no data charge to us.

With all that security comes problems. The boss wants to violate his own Internet policy (bittorrent for movies and all that) and the new firewall stops him from doing it. He has a personal email account he insists on checking with pop3 but can't now because that's blocked. There are no end of complaints about how all these violating things that used to be possible now aren't. For many admins there is a lot of pressure from management to not block things because the managers want to have a free run. Not every IT person is gutsy enough to stand up and say "no fucking way".

Re:Lol

[vux984]

Not every IT person is gutsy enough to stand up and say "no fucking way".

Not every IT person should. IT is a service industry. They need to make sure they are providing the service that is actually desired.

Downloading torrents is a pig on bandwidth, but unless bandwidth is cramped. So what?

Downloading from external email accounts may carry greater virus risks, but they are going to pick up the messages when they get the laptop home anyway, so the machine comes in infected tomorrow instead of this afternoon. Or they'll pick it up through some webmail account somewhere that you haven't blocked. Or they'll hook up their laptop to their cellphone/pda.

Some IT departments should say "no fucking way". But in a lot of them IT is supposed to simply be providing a secure reliable functional network. That doesn't necessarily mean locking it it down so hard that its reliability reaches 5 9s, and its so secure even the users can't get in half the time, while functionality is at the bare minimum specified in an SLA, while IT pats itself on the back for a job well done.

Meanwhile half the staff have resorted to personal laptops/pdas and cellular data plans because they can't get email from important customers through the company mail server, and they can't access web content they need through the company network without jumping through stupid hoops each and every time... and IT just stands around saying "no fucking way".

For every PHB manager drawing up pointless re-org charts and misusing buzzwords, and marketing moron promsing perpetual motion machines and obsessing over what color they should be, there is an IT-admin somewhere very effectively ensuring his network is as hostile, unfriendly, and as unusable as possible to the people trying to use it.

Like I said, Some IT departments should say "no fucking way". Some environments and situations DO demand that. But many of them say that a hell of a lot more often than is remotely justifiable.

What they don't say

[kpainter]

There are a lot of really stupid IT policies out there that, in the name of security, in fact merely hinder getting work done. I am not talking about P2P. Giving a developer a workstation with a user account with no administrator privileges on Windows is among them.

Re:What they don't say

[moderatorrater]

What I've noticed more of is that there's the "Company IT Policy" (tm) and the actual acceptable use policy. On paper you're not allowed to put any personal files on the computer, browse any non-work-related sites, or use a messenger client. In reality, you can bring in your own music or any work-related programs as long as you take the flak for illegal things, browse sites but only for a reasonable amount of time, and the same for messenger.

Re:What they don't say

[Kjella]

It's really quite simple - a company is in it for the money. IT policies are there because they save money by not dealing with all sorts of crap. As long as you get your work done and don't create trouble for your coworkers, IT support, the legal department or anyone else most people are willing to overlook things. Note I said overlook, not back down. Don't challenge them or blatantly disregard them, or they have to come down hard on you to make sure everyone knows who has the final say. You have to convince them you're not what I'd call "dangerously competent" - skilled enough to mess around a lot, clueless enough to fuck it all up.

Unreasonable Policies

[bazald]

Some policies just aren't reasonable or well thought out. This article is clearly blowing the issue out of perspective by not separating out different behaviors.

Checking personal e-mail from a work computer-- 73% of those who have done this at work believe it is not risky, despite the fact that they could unknowingly download a virus that infects the corporate network. Wow, really? I'll stick to those corporate virus-free e-mail accounts from now on. Are they also completely free of spam? That would be nice too.

And then there is 1/3 ordered to violate..

[Maxo-Texas]

by executives to make unrealistic deadlines which they decided without IT input.

It's a cat and mouse game with IT

[rrohbeck]

Blacklists=>Proxies
Traffic filters=>TOR
etc. etc.

But the real problems are still caused by moron employees who double click on an attachment they got via email. Just happened again last week. The problem isn't people who don't adhere to policies, it's employees who don't have a clue.

And what's wrong with reading Slashdot while you're slacking off with a coffee for a couple of minutes? I'd consider an employer a slave driver if they have a problem with that.

Where I work...

[Toreo+asesino]

...there's a very relaxed IT policy.

Browse whenever you want, take whatever software you want home, check your email if you want, everyone's their own local admin, no audits.

However, if you get caught with illegal software, miss a deadline because of blatant time-wasting, then you get fired (for continuous abuse). People work not because of policy, but because they want to do well and enjoy what they're doing.

I happen to also work in one of the biggest names in IT too....not some small company. The policy works very well, as is evident from the company's success and the fact people rarely leave. That and brain-implants, anyhow.

So,

[no-body]

what is wrong here? Rules or people?

Whenever rules are broken, something of the two is off.

Remedies are not always adequate and can lead to more trouble.

Re:When Policies are set by PHB's and you need to

[Otter]

"Today, a coffee cost $1.99 + TAX!"

And is that the phrase for the for the dental plan password, the diversity training registration password, or the office supply purchasing password? Or an older phrase for one of them, as each one needs to be changed (out of sync!) 6 times a year.

policy?

[bigdavex]

I'm not supposed to post on internet forums.

Re:most employees...

[ivan256]

I've actually tried this little social experiment.

I run the network for my mother's company for free, so I'm allowed whatever liberties I'd like in deciding policy instead of having it dictated by a boss. They've got over 20 machines, and they aren't formally assigned, so if one goes down it's not the end of the world, the employee can use one at another desk for awhile. Usually they use the same one every day though.

The experiment was this:

Four new employees. Four new Windows XP Professional PCs. All use Firefox for a browser and Thunderbird for e-mail, along with the proprietary manufacturing/sales app that they run their business with. Two machines got Symantec anti-virus, and the other two got no anti-virus. They were told that since we don't have a copy for that machine, they'll just have to be extra careful about what documents they open, and how they use their e-mail. (We really were out of licenses/subscriptions, which is how this started)

After three months, both of the AV-free PCs were completely fine, and one of the machines that had the anti-virus was running a botnet spammer (the outgoing spam was being blocked by the firewall). The most amazing bit though, was that the fear of not having anti-virus protection had stopped users of those two machines from doing most of the non-viral bad stuff that average windows users do. There was no proliferation of toolbars, no weatherbug.... They didn't even have realPlayer.

It's amazing what a false sense of security people get from running anti-virus software. They don't even realize that they still have to be careful because 0-day threats aren't in the latest virus definitions yet. They think they can do whatever they want, because they are protected.

The whole company has since gone anti-virus free on the desktop, and problem reports and performance complaints have dropped way down. Education and a healthy dose of respect for the evils of the world work better than any anti-virus on the market. And the cost savings are nice too.

(There is still some basic protection in place. All internet access is through a secured web proxy. Non-http traffic isn't allowed. Intrusion detection on the firewall, etc... And the servers are still scanned, AVG on the windows servers, chkrootkit on the linux servers.)

Let people browse!

[$criptah]

If you are reading this thread at work, you're probably violating the policy as well. Has anybody actually read the employee handbooks given out on your first day of work? I have never worked for a company where IT stuff did not violate policies to a greater degree. Sure, soccer mom / accountant Jane may look at the news site or shop at gap.com during work hours, but Billy, the director or IT, can run as many P2P applications from the QA lab. I have constantly heard IT engineers bragging about yet another wonderful Quake 3 lunch. It is nothing wrong to have some fun at work, but ordering extra-beefy hardware only for specific individuals so they can play Quake may not sit right with a CFO. What about all that licensed software that magically ends up being installed at home? The about box reads that it is licensed to Some Company while it is being used for personal purposes. Things like this happen all the time. Hell, I had a co-worker who did not mind browsing pr0n and personals online at work. He even bragged about it. Noticed how I stated things in the past tense :) Stupid policies make people break the laws. Just like teenagers love liquoring up despite the fact that it is illegal, white collar professionals like their news sites and forums. There is nothing you can do about it. In fact, if I were a boss, I would encourage people to relax and take breaks once in a while. I seriously see no harm if Johnny-work-all-night-to-meet-deadline takes 10 minutes and reads his Slashdot. As long as work is getting done, who gives a shit about what people do when they have a spare minute.

Re:of course

[Aetuneo]

So most people realize, on some level, that the purpose of many of these rules is to make the people administering the network feel safer? For example, if you a company is sued by the RIAA/MPAA on the basis of someone on their network downloading music/movies illegally, they would have the protection of that being against their policies, so they can either fire that person for violating the policies, or pass on the lawsuit (for example, suing that person in turn). Thus, if you know what you are doing, it doesn't matter if it is against the rules unless attention is drawn to it - and unless it is harmful, the worst that would happen is probably a slap on the wrist, and perhaps not even that.

Re:most employees...

[ivan256]

You really have no grasp on reality, do you?

You think virus protection protects your net work? You missed the entire point. Then you followed it up with a broken car analogy.

Perhaps you should try understanding what you do for a living instead of doing whatever some book and a whole bunch of marketing literature told you to do.

I check in on my machines and make sure they are working. I protect my networks, and make sure that if they *do* get infected they're not going to infect *your* network.

Judging by your comment, on the other hand, you merely install security-blanket style security software on your systems and think that makes you "responsible".

Users have no remorse because they are given zero responsibility. Why should they care if they fuck up your machines? You secured them. They're protected. They're both "safe" because of the protections, and completely disallowed from making any responsible decisions about their own machines, so they take zero responsibility.

You, sir, are the cause of your own user-troubles.

Re:I don't believe it - bofh handbook reply

[cumin]

User: Ok, now I changed it to 'bobspassword2'.

Me: Sorry, we can't both know your password, so I changed it.
User: To what?
Me: If I told you, then we'd both know it wouldn't we? yuk yuk yuk
User: [grumbling] Okay, I'll change it, but I won't tell you this time.
Me: Okay, it's temporary though, and will force you to change it when you log in, ready?
User: *sigh* ready.
Me: [mumble: random, okay] a;@#aslkdfQQQ$@$#%faWerrr@!!a;lskd1.

Nobody, but nobody leaves their password as the one I give them. Few tell me twice.