Discussion on:

Security and customer service: Why they go hand in hand

It's true that sometimes an end user circumventing security policies is just someone that feels the IT department is holding him/her back, and that there needs to be some kind of attempt to address the (perceived) needs of that end user. It's true that sometimes a policy of prohibiting certain behaviors is too broad and restrictive.

On the other hand, there are times when such policies are exactly what they need to be, and an employee violating those policies can lead to tremendous problems and expenses for the company. Sometimes, when end users are prohibited from visiting a given website, it's because that website is loaded up with malware that can directly impact security. Sometimes, the end user needs to be restricted from certain behaviors, and that end user needs to stop trying to get around those restrictions.

If an employee is doing something that exposes the company directly to such risks, and is doing so in a manner that is obviously in violation of security policy, that employee may need to be disciplined or even fired. It's harsh but true.

On the other hand, if the end user manages to get around the technical restrictions that would keep that end user from circumventing policy, or if the end user has reason to think it's "not that bad" because there are other, similar policies prohibiting behavior that isn't detrimental to the company, the people in IT who institute such policies may also need to be reviewed. Violating security policy is bad, but diluting it with arbitrary and unnecessary restrictions is just as bad, in part because it can ultimately encourage people to violate security policy.