Slashdot Mirror
IT and Security Professionals Think Normal People Are Just the Worst (zdnet.com)
Two new studies reaffirm every computer dunce's worst fears: IT professionals blame the employees they're bound to help for their computer problems -- at least when it comes to security. From a report: One, courtesy of SaaS operations management platform BetterCloud, offers grim reading. 91 percent of the 500 IT and security professionals surveyed admitted they feel vulnerable to insider threats. Which only makes one wonder about the supreme (over-)confidence of the other 9 percent.
[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.
[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.
A developer for one of my past organizations, a true rocket scientist, posited it the best: "The network would be great, if it wasn't for all of those users!" Cheers, Ron.
Sure, you've told us. Then some genius at JP Morgan decides that the only way I can get the tax documents I need from their secure portal is by clicking a link in an email that they send me. Which, by the way, gmail offers to translate from Slovak, for some reason--extra-special comforting.
When I write them and say, just send me the url so I can log in with my credentials, and not have to click some phish-bait link, they only offer to fax me the document instead.
Oh yeah, sure, users are the problem....
Have gnu, will travel.
A few years back I worked for a company that produced a network security device (Not saying who, NDAs are still in place) sticky notes on monitors with passwords on them were everywhere. We sent out multiple requests for them to me removed, and you can guess the result. We eventually got management buy in, and after more warnings, one Saturday we went around the office and removed every sticky note that even remotely resembled a password. After photographing the placement, and placing each note into an envelope, all were removed. I can still hear the echos of the screaming on Monday morning. :) :)
The best part is two weeks later we did it again. Several people were found with new sticky notes. (One under the keyboard.) these people were given written notice that they would be terminated if it happened again. One person did not believe them, he was terminated for cause about a month later.
I really enjoyed removing his accounts.
First law of people: People are generally stupid.