id="info"

General discussion

Locked

Employees don't care if the business fails

By Jay Garmon Contributor ·
TechRepublic own blogger extraordinaire HutchTech fired off this missive recently, which got me wondering whether everyone agrees that employees willfully ignore security precautions at work because they don't fear consequences.

"I recently came across this Trend Micro report in a SANS newsletter which claims that employees take more risk on the net at work because they believe their IT department will protect them. While this might be what they said in the survey, the real answer is far more sinister: employees don't care if the business fails.

"Let's face it, if you knew you wouldn't have been caught pulling the fire alarm at school so that you could postpone that math test would you have done it? The same moral dilemma faces those who use their PCs at work. Employees (particularly in larger corporations) don't see the real harm of network downtime--it's just a paid break. And if they don't see people getting fired for abuse (I'm not talking about porn here, but shopping, blogging, gambling, etc., etc.) what risk do they really take in abusing their Internet access? Besides, if you do happen to infect the network with the latest worm you're just a poor, little end-user and you're really, really sorry. And how many IT departments are actually going to track the thing down once the fire's been put out? Not many--the standard e-mail reminder to be more careful will have to suffice (oh, and remember to attach a copy of the corporate e-mail/Internet policy).

"While I am not excited about Apple, Microsoft, et al taking a stronger oversight role when it comes to workstation and network security, businesses (particularly smaller ones) really do need help against their own worst enemy--themselves. Remember: Ignorance, my friends, is not innocence."

- Hutch
http://techrepublic.com.com/5254-6257-0.html?forumID=99&threadID=176583&messageID=1850845&id=2899447

I'm curious as to who agrees with the esteemed Hutch, and if anyone has ever handed out (or received) serious punishment for security violations at work.

This conversation is currently closed to new comments.

48 total posts (Page 1 of 5)   01 | 02 | 03 | 04 | 05   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Disagree and Yes

by JamesRL In reply to Employees don't care if t ...

I have stood in front of hundreds of employees (at a previous employer) and talked about ITs monitoring of net usage, the why and a little bit of the how. Most of them were fine with it - judging by the questions at least.

At companies where people work hard, there is resentment for those who don't. Thus when it takes them longer to download that new patch they need, they resent those chewing up bandwidth for downloading that new song or desktop animation etc.

And I have seen people fired, for using the company net for their own private business venture, for excessive non-porn surfing, and other events. I've been the one holding post-mortems on disasters like virus invasions that shut down the file servers.

Maybe I am wrong, but I doubt I am the only one.

James

Collapse -

More public enforcement is needed

by IT Security Guy In reply to Disagree and Yes

I agree with you. I have performed a few investigations and heard reports of others that were from abuse. There needs to be more public enforcement so those who choose to ignore the security policies, will not have any leg to stand on when they are caught.

Ways to warn people:
1. Send out a global announcement to be followed by a global email stating the latest problem was caused by users who doenloaded malicious software to the network. Those users were identified, notified and will be monitored for future violations. Anyone who disregards the security policies and is responsible for security breaches or network problems will also be placed on this list. A second violation of policy will results in a written and verbal reprimand along with suspension of either internet and/or network use. If there is a third, the employee will be subject to termination.
2. Follow up on the previous suggestion and make sure the enitre company is made aware of the violations and any employee who is terminated.
3. Develop a Rules of Behavior/Acceptible Use Policy that every employee signs and every new hire signs every year. The policy wil state what is acceptible, what is not and the consequences for non-compliance with all company policies. (This could be considered a legally binding contract, so no one can say they didn't know about the policy)
4. Get by-in from top management and make sure they agree they rules also apply to them. (show monetary costs for breaking the rules)

Collapse -

Mostly agree

by JamesRL In reply to More public enforcement i ...

The company where I had that experience made every employee sign an Acceptable Use Policy, and made it part of the new employee checklist - no signature, no network logon.

We also held IT security awareness days, with presntations, contests etc. I spoke to a total of about 600 people, out of a total population of 3500, not bad for a "voluntary" event.

It wasn't allowed to communicate the reasons for termination - privacy laws and so on. We did often joke about having a wall of shame, but we couldn't implement it of course. We did let people know when we had outages due to virus attacks, which could have been prevented by improved awareness.

Fortunately we had total buy in from senior management, but it had a lot to do with the industry we were in.

James

Collapse -

What goes around comes around

by DC Guy In reply to Employees don't care if t ...

It's hard to deny the perception these days that most American companies don't care much about their employees. How many of us didn't catch the attitude implicit in our being turned from "personnel" into "human resources," which is something akin to pencils and toilet paper?

People repay disloyalty with disloyalty.

My company treats us very well and bends over backwards to avoid dismissing employees; outsourcing is rare. As a result we have many co-workers with twenty- and even thirty-year pins.

Need I state that we do care very much about the success of our business?

And is it a surprise that we're a stone's throw away from being the leader in our industry?

Collapse -

Biting Feeding Hands

by BFilmFan In reply to What goes around comes ar ...

Considering the disdain that most management at organizations show for their staff, it doesn't suprise me that people view a network outage as a break.

A lot of companies talk tough about internet policies, but rarely do they enforce them and almost never on upper management and officers of the company, who are some of the worst at inviting virus infections and porn spam worms in.

Collapse -

Far too simplistic

by amcol In reply to Employees don't care if t ...

The problem with this "argument" is the same as any that are taken out of context...there may be more than a shred of truth to it but it's only a very small part of a much larger story.

Are there people who don't care about their companies? Of course, just like there are people who (incredibly) don't care about their own families, or their fellow humans, or even themselves. My company treats me unfairly, there's no bidirectional loyalty, I can get outsourced/fired/RIF'ed/laid off/excessed at the drop of a hat, nothing I do really matters in the long run anyway, I'm just a small cog in a great big wheel, why should I care about the company when no one else does, there are other people who are doing such a great job I don't have to care about the company, my manager's a dork, my department head's a dork, the CEO is a dork, my boss doesn't treat me as well as my mommy used to, I'm lazy, I'm tired, I'd rather be playing video games, nobody likes me everybody hates me I'm gonna go eat worms. There are any number of excuses, take your pick.

You're in a rowboat with other people. Everyone's survival depends on everyone else. The boat springs a leak, right at your feet. Do you stick your finger in the hole? Do you hope someone else will? Do you believe the boat won't sink no matter what? Do you avoid sticking your finger in the hole because the others might laugh at the way you're doing it? Are you afraid if you plug the hole with your finger a shark will bite it off?

Human behavior is so complex there are no simplistic answers. The reasons you do something in any given situation are different from the reasons I do something in the same situation, whether the action I take is the same or different from yours. You and I work for the same company. I work hard because I'm a hard worker. You work hard because you care about corporate results. The guy in the next office works hard because he wants to make more money and gain higher position. Whatever, we're all working hard.

Frankly, I find the notion that people take chances with downloading viruses and abusing their web privileges due to some belief that "IT will take care of it" rather flattering. Our customers are quick to blame us when things go wrong...where is all this professional self-loathing coming from that we have to negatively rationalize why folks have some trust in us?

Collapse -

Far too complicated

by Mr L In reply to Far too simplistic

The problem with this "arguement" is the same as any other that relies on obsfucation and rhetoric in place of logic and clearly defined talking points.

Corporate culture "has" become more and more impersonal, as easily verified by the declining average years of service in the majority of firms. That being the case; it is likely that there is not a general feeling of "I won't abuse the network because I may negatively impact the company I work for."

Unless there are consequences, and those consequences are applied even-handedly, people will use the network pretty much as they see fit. Relying on "good citizenship" and loyalty to the company to drive behaviours is idealistic and most likely doomed.

I manage the messaging and desktop environments in a large (12+ billion)corporation, and I am under no illusion that associate loyalty will keep my networks safe and functional.

Clear policies, widely distributed and fairly enforced, are the only reliable solution.

Collapse -

Well thought out.

by Praetorpal In reply to Far too complicated

I believe Mr L. has a good grasp of the big picture.

Do employees really want to bite the hand that feeds? Probably not.

Are they fully aware of the consequences of their actions and are they made accountable for them. Probably not. But they are not responsible for paying for them like they are at home.

Poor IT architecture (remember 6 dumbest mistakes of computer security), manifesting lack of internal controls for concepts like least privilige, combined with poor policy development, implementation and enforcement all contribute to these behaviors.

If employees are spending half their time doing non-related work on the computer, why are their managers not giving them more to do?

Why rely on a boy-scout promise to enforce policies. How naive! Get some access controls with teeth, so that employees do not have the privilege to download rogue programs, screensavers or whatever. They are at work to work, not play.

Collapse -

Brilliant Idea

by cool_iceman9 In reply to Well thought out.

Definitely I agree, instead of setting up each workstation's security and filtering software and access controls that might not work well due to some misconfigurations, why not install a centralised access controls wherein users connect to you first before surfing the net. hehehe... I control the flow of information..

By observing these practice, risks I think maybe mitigated. I really hate to admit that some users tend to ask you minor questions that seems not related to their official work. For example; hey dude how can we download this and that?, and those dumb questions, without knowing the attachments contains a virus or a spam. And if anything happens bad to their workstation/s caused by the infection or outbreak, All I Can Say; is; "THAT IS WHAT YOU GET FOR SURFING THE NET".

It seems like that users are being spoonfed, and no learning at all. I think before i can grant them access, all i can say is, the I.T. Department will not be responsible for any losses caused by surfing the net. heheheh, i apologize to you guys if there's any fragmented sentences i have commited.

Collapse -

Disagree

by Elder Griffon In reply to Far too complicated

I didn't appear to me that amcol was saying that loyalty could be relied upon to prevent user abuse of resources. I thought he was saying, merely, that it is an exaggeration to suggest that all good behavior is the result of consistently applied punishments. More generally, I think he was suggesting that even if it is sound practical policy to assume that users will do any abusive thing they can get away with, it is surely a grand exaggeration to suggest that this is true because they literally lack any desire to act for the good of the company.

I think one can make a very great and damaging mistake by promulgating policies that inadvertently convey the message that employees cannot be trusted or should not value responsible behavior for its own sake rather than a means to avoid punishment. Security, of course, has to be based on the idea of capability, not intention: you must forfend the damage users could possibly do, if allowed, rather than merely that you feel they are likely to do. But, I believe one can seriously hurt morale by unintentionally broadcasting the idea that the most conscientious senior employee has given no reason to be trusted. It doesn't matter that this may, in fact, be an abstract principle of your defenses. To publicly endorse an implied contempt for users' ability to act responsibly may itself discourage responsible behavior.

Back to Security Forum
48 total posts (Page 1 of 5)   01 | 02 | 03 | 04 | 05   Next

Security Forums