Friday, March 03, 2006

IT vs. stupid users

Too many company employees have their heads up their asses when it comes to Safe Browsing, Safe Email Interactions, and Safe Filesharing...at work!

I know all about the frivolous forwarded emails that employees circulate: political bigotry jokes, racist slurs, bawdy humor, offensive comedy, ignorant PhotoShop/Poser manips, even superstitious chain letter scams.

IMHO, a large percentage of IT department heads and CEOs must be sissy wimps. They seemingly fear employee backlash and sagging morale if they clamp down on the sloppy employee internet habits. I must admit, I'm not sure why employee slop-puting is tolerated.

Let's take a look at recent article on the subject, from Information Systems Security, an Auerbach online publication.

"Saving Users from Themselves"
http://www.infosectoday.com/
Articles/savingusers.htm

by Jim Fulton, VP Marketing, Green Border

[QUOTE]

Even with the strongest technology safeguards in place, in many cases, IT administrators still only have a limited amount of control over what their users do over the Internet.

[VASPERS: Whoa. Stop. What? Why won't anyone radically question this: "only have limited control over corporate users internet behavior"?

Is the CEO so clueless? Yes, in fact many corporations are looking at downsizing, or *outsourcing* their IT and network security, even *offshore outsourcing* it, to firms in potentially hostile, or politically unstable, foreign nations. Bizarre.]


They [employees] go to unknown Web sites, open e-mail and attachments that might contain dangerous content, and sometimes even upload files or data into webmail or blogs. They'll download unauthorized digital music. Mobile users might turn off their firewall or antivirus software in order to connect in from the field.

[VASPERS: Okay, so where is the company policy and standards statement that is clearly needed here? I blame the mediocre, brain-dead CEOs, again.]

With the advent of spyware and adware, all users have to do is go to a website - even a corporate approved website they go to in the course of doing their job -- and in doing so, unknowingly download some sort of malware.

[VASPERS: This ugly picture of stubbornly stupid employees reminds me of how mommy bloggers expose their babies and infants to predators and abductors by posting hundreds of photos of their children, with private details like names of home towns, restaurants, churches, and other hang-outs, etc.]

In the best-case scenario, valuable IT resources are spent cleaning up, re-imaging and patching infected or dirty systems. In the worst-case scenario, the broader organization is put at risk for data theft or compromise.

[VASPERS: And yet, in spite of this, the CEOs continue to pussyfoot around, prancing like flakes, afraid of "offending" their slaves, er...employees. Gutless wonders, these CEOs.]

Users aren't always to blame for the problems that browsing and e-mail bring.

Hackers are giving way to professional criminals who are using increasingly clever tactics to steal confidential information and infiltrate private data. It's no wonder that the security arms race is never-ending.

However, be that as it may, it is the responsibility of the organization [VASPERS: "organization" is euphemism for CEO and IT department head] to ensure that users remain safe, and don't place themselves or the organization at risk in the course of doing their job.

Add into the mix that Internet and e-mail communications are, more than ever, essential to getting the job done in today's business world.

Employees and the organizations they serve have come to regard Internet access and email as a necessity -- meaning that imposing heavy restrictions doesn't necessarily serve the needs of the company. In fact, such restrictions can become more of a hindrance than an asset, creating a drag on productivity and ultimately, the bottom line.

[VASPERS: Sorry dude, but I must beg to differ. You are wrong. Safe computing habits are *not* "heavy restrictions". But see, we are in a sickeningly "tolerant" and "don't upset or offend anybody" culture of decay and decline. No one has any freaking balls anymore. I don't feel "heavily restricted" by imposing computer usage guidelines on myself and my employees.]

And let's not forget the increasing mobile workforce - more laptops, telecommuters and remote access means more vulnerability to the enterprise. While these improvements all allow for greater productivity and collaboration, they also create an increasing checklist for security.

The challenge becomes even more onerous for small and medium-size businesses. With scarce resources and significantly less IT infrastructure than large enterprises, SMBs often have little or no time to manage and configure every desktop, let alone establish and enforce strict security policies. Unfortunately, however, IT security is like a boat: it takes only one hole, anywhere, to sink it.

[VASPERS: Do you, gentle reader, see the contradictions here? On the one hand, we have a "fear" of "restricting employees". On the other hand, we have catastrophic damage potentials that need immediate attention.

Funny, isn't it (?), how stupid corporations will subject job applicants to "drug tests"... but won't clamp down on internet abuse and foolish computing behaviors of employees.

While I am not advocating illegal drug abuse, there are many employees abusing "legal" prescription mood elevators. There are many employees who are alcoholics, but there are no "alcoholism tests" for new hires or current employees.

If you have a "drug test", why not also have a "safe computing test"?]

The reality is that for the most part, users are unaware, uneducated or frighteningly unconcerned of these risks and their associated consequences.

[VASPERS: And who is to blame? The CEO, COO, CTO, or IT department heads, that's who.

At some companies, when an employee tries to visit an unacceptable site, a big spooky "Warning: Forbidden Site" page appears, accompanied by the text of the Corporate Computing Policy.]

Need proof? Recent findings from the Deloitte Touche Tohmatsu (DTT) 2005 Global Security Survey found that the increasing sophistication of threats (63 percent) and the lack of employee awareness (48 percent) contribute to an environment of exploitable vulnerabilities and weak operational processes.

It's no secret that an effective strategy must include provisions for people, process, and technology. And no matter the size of the company, regulations and internal compliance also affect the way that IT operations are managed.

The trick is to understand how to map the right technology and processes to the people.

The growth of mobile and remote workforces along with the need to make electronic assets available to business partners and customers has made obsolete the idea of implementing security technology to create an impenetrable virtual fortress. Attackers have learned to sneak through, disguised like legitimate content and applications.

[VASPERS: See what the solution is? Not somehow hardening the enterprise against intrusions, so employees can enjoy computing anarchy--but increased training and strict policies for these employees.

Remember, your clueless employees also are *no good* at monitoring their children's computer behavior. Children are over-riding parental controls on the home PC, and visiting hate sites, malware attachment sites, and porno sites.

I hear this all the time: "My PC at home is slow, filthy pop-ups proliferate, and I get viruses."

Then I ask a few questions, and determine it is probably not the parent who is at fault.

Eventually the complainer says, "Oh the grandkids come over and go to all kinds of weird sites, and download music files." Bingo!

The over-pampering fools allow their children and grandchildren to abuse their computers, because they "love" the spoiled little "darlings". ]

Today, IT security is becoming more and more like that in a hotel. There are guards at the door keeping obvious threats out, but rooms are always kept locked, safes are sometimes put in the rooms and guests are warned to be aware of what's happening around them.

[VASPERS: An apt analogy.]

Those responsible for managing IT security must not only consider how to protect the company's assets, but to enable the mission of the organization safely and conveniently for users.

Without convenience, users are tempted to look for bypasses which inevitably becomes a problem. Similarly, it is easier to recognize the habits of the user base and adapt to them rather than imposing radical changes or policies.

[VASPERS: I think the author is trying to say: discover what *legitimate, work-oriented* behaviors users are attempting to use at their computers, and then, if these practices really are in line with the performance of their job duties and company goals, figuring out how to facilitate them safely, legally, and efficiently.]

While there is no silver bullet for IT security, IT administrators should demand strategic accountability from their security vendors. Vendors should be on the hook to create technologies that take the reality of user behavior into account to effectively mitigate risks and fit within the operational network environment.

[VASPERS: I know for a fact that many employee computer behaviors are personal, not job-oriented.

Bloggers post new articles to their personal blogs--at work. They shop for shoes online. Visit Fox News. Check the temperature and local weather reports. They do whatever they can get away with.

Employees whine about "it was on my lunch break".

So what? It's still at work, with the employer's system. I'm not being a "mean" hard-ass, I'm only trying to save corporations from huge costs associated with unsafe surfing and email practices.]

This isn't to say that vendors aren't stepping up to the plate - there is plenty of innovation happening. But it's not so much about building a better mousetrap. Better security is not solely about a multi-functional security agent, having more signatures, more scanning, or a completely locked down desktop.

It starts with changing the way you think about security in the first place.

In the end, smarter "proactive" solutions that complement the cultural and social elements of how users actually interact with the Internet will streamline processes and support people's effectiveness to do their jobs.

Such an approach will also free up security managers to think and act strategically because they are no longer dedicating all their time to repetitive, tactical (yet essential) activities, such as cleaning, re-imaging dirty machines or patching.

Once this recalibration of people, process and technology occurs, security managers will truly be able to save users from themselves.

[END QUOTE]


Please pay attention to Safe Computing Practices, both at work and at home. Or live to bitterly regret your slop-puting BS.


P.S. Here's some main page text from the Green Border site:

[QUOTE]

GreenBorder, the first Desktop DMZ software for Windows, gives you permanent protection — without updates — against Internet attacks, theft, and leakage.

Now, users can safely search, browse, and use the Internet without putting their PCs, your network, or your business at risk.

GreenBorder protects PCs and the networks behind them from being damaged or corrupted — even by advanced exploits other defenses can't catch.

GreenBorder blocks identity theft and keeps confidential and compliance-controlled files from being attacked, stolen or leaked.

GreenBorder lets users safely run all Internet resources while preventing unauthorized software from permanently downloading and installing, protecting enterprise applications — desktop, portal, Citrix-based, or web services — from viruses, worms, keyloggers and other malware.

With GreenBorder, you can give users broader, safer Internet access while eliminating most Internet-related helpdesk calls, reimaging of PCs, patching crises, and leakage of sensitive data. Forever.

[END QUOTE]

4 comments:

carrie said...

i've had jobs where ALL i pretty much EVER did was play on the computer/internet all day long as much as i could possibly get away with. one of my co-workers introduced me to Hot or Not and we would do that almost all day. customers and real work were merely an intrusion.

steven edward streight said...

You go girl. I hope the company deserved your "mutiny". tee hee hee. hey, I ain't no....

sky painter of merit said...

ya, it is funny how companies don't want nobody smokking reefer, but allow them to shop for shoes online and FWD those chain letter scams.."pass this to others, or be cursed." and contains viruses.

Remember the "i love you" subject line virus worm thing? dunces.

harry potter assassination squad said...

you nailed it vaspy. good post. do more like this.