General discussion

Locked

Employees don't care if the business fails

By Jay Garmon Contributor ·
TechRepublic own blogger extraordinaire HutchTech fired off this missive recently, which got me wondering whether everyone agrees that employees willfully ignore security precautions at work because they don't fear consequences.

"I recently came across this Trend Micro report in a SANS newsletter which claims that employees take more risk on the net at work because they believe their IT department will protect them. While this might be what they said in the survey, the real answer is far more sinister: employees don't care if the business fails.

"Let's face it, if you knew you wouldn't have been caught pulling the fire alarm at school so that you could postpone that math test would you have done it? The same moral dilemma faces those who use their PCs at work. Employees (particularly in larger corporations) don't see the real harm of network downtime--it's just a paid break. And if they don't see people getting fired for abuse (I'm not talking about porn here, but shopping, blogging, gambling, etc., etc.) what risk do they really take in abusing their Internet access? Besides, if you do happen to infect the network with the latest worm you're just a poor, little end-user and you're really, really sorry. And how many IT departments are actually going to track the thing down once the fire's been put out? Not many--the standard e-mail reminder to be more careful will have to suffice (oh, and remember to attach a copy of the corporate e-mail/Internet policy).

"While I am not excited about Apple, Microsoft, et al taking a stronger oversight role when it comes to workstation and network security, businesses (particularly smaller ones) really do need help against their own worst enemy--themselves. Remember: Ignorance, my friends, is not innocence."

- Hutch
http://techrepublic.com.com/5254-6257-0.html?forumID=99&threadID=176583&messageID=1850845&id=2899447

I'm curious as to who agrees with the esteemed Hutch, and if anyone has ever handed out (or received) serious punishment for security violations at work.

This conversation is currently closed to new comments.

48 total posts (Page 2 of 5)   Prev   01 | 02 | 03 | 04 | 05   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Very interesting turn

by amcol In reply to Disagree

Frankly, each of the previous three posts (as intriguing as they are) address issues other than what the original poster raised and aren't on point to my response.

The IT department has authority and responsibility to implement security policies that protect the technical assets of the organization. That's a given, and to do otherwise is an abrogation of that responsibility. There are certainly levels of protection that must be applied in such a way as to be situationally appropriate. I may in fact be able to completely lock down access to my network in such a way that authorized users have to provide all ten fingerprints, a retinal scan, a blood sample and an oral swab for DNA matching in order to gain entry, but unless I represent the White House and am in charge of protecting the launch codes a somewhat less restrictive policy may be more consistent with operational efficiency. These are decisions all organizations must make.

There are acts of commission and acts of omission. Employee A is angry at his/her organization for whatever reason and decides to wreak havoc by irreparably trashing the financial transaction log. Employee B is somewhat less than entirely tech savvy and while he/she has heard about some of the potentially nasty consequences of unsafe net surfing he/she figures "someone" in the IT department will "take care of it". Neither is a candidate for employee of the month, but the manner in which each is dealt with should clearly be different.

Security policies are intended to restrict and protect but should not be viewed as opportunities to punish. In that regard I agree with Elder Griffon...good behavior comes from positive motivation, not negative. People tend to respond to the carrot more so than the stick, meaning it's a lot easier to motivate on the basis of a reward than on the basis of a beating.

However...all of this is beside the point. The original issue, to which I was responding, is if it's true (and it is) that there are people who don't care about the success of their companies it's far too superficial to pull one possible reason for that out of context and generalize from there. There are all sorts of reasons for corporate indifference, and good companies have formal programs in place to recognize the symptoms and cure the disease.

Collapse -

Not "quite" on point, either...

by Mr L In reply to Very interesting turn

>>
TechRepublic own blogger extraordinaire HutchTech fired off this missive recently, which got me wondering whether everyone agrees that employees willfully ignore security precautions at work because they don't fear consequences.
>>

That is, in fact, the thrust of the OP. The point was not "...if it's true (and it is) that there are people who don't care about the success of their companies...". Speaking to Hutch's assertions is not answering Trivia Geek...discussing employee behaviours as they relate to policies and their enforcement (consequences)is.

People are not inherently honorable, moral (however you define that), ethical, or law abiding ( I realize that's probably not a popular comment, but there you have it...). These things are learned/taught, and (I'll try very hard not to take this into the realm of positive vs negative feedback in learning behaviours...we all have our favorite stance, take your pick) enforced through consequence.

Bottom line: Employees DO willfully ignore security precautions at work because they don't fear consequences. This does not make them bad...this makes them human. Rules without reliably, equitably enforced consequences are useless; worse than useless..they usually wind up doing more harm than if there was no rule to begin with.

Collapse -

on point but ....

by avid In reply to Not "quite" on point, eit ...

While i do agree that employees in general will ignore security precautions, i must disagree with the orginal post that their reason for this is not fearing consequences. i believe they do it because they simply are not given enough reasons to care if their company succeeds. most people are paid just enough to convince them to show up to work. and that is what they do. they show up. they will not give their best efforts and protect the network just to make sure the execs meet some quota which will increase their already inflated salaries and bonuses. the average user does not care about downtime because it will not affect their income. they know that uptime will not increase their income so why bother with precautions. i believe they feel that ignoring acceptable use is a way of getting some of the money that they feel they they deserve from the company, even if it is money they can not deposit into their accounts.

Collapse -

Well said...but...

by Mr L In reply to Disagree

...do you leave your car unlocked at the mall?

We don't lock our cars to stop the determined professional thief, we lock them as deterents to the casual criminal or would-be joyrider. In other words, we lock our cars and houses to encourage continued honest behavior.

It's much the same thing with corporate acceptable use policies. Those determined to break them will. We create these policies to promote acceptable behavior and provide guidelines...to honest people.

Nowhere did I say that our associates were dishonest, unreliable, or untrustworthy. I said that reliance on those things to keep my business safe was an unacceptable risk position to take.

Cheers

Collapse -

A threat is a threat...

by Praetorpal In reply to Disagree

...whether it is something as unintentional as a virus or worm in a screensaver, or whether it is an insider breach that steals intellectual property. They are both a threat to the survival of the company. If a trojan that keylogs is the malware that plants itself on your network, than the damage can be severe. I read recently that 90% of companies that have a serious publicized data breach go bankrupt within a year. Where does intention come into play here? Read these forums. Many contributors here lambast "senior" management as among the worst offenders. There are even some on this thread.

Sorry going off the original topic here, but this tangent IS an offshoot of the original post.

The most serious and costly cyber breaches are from inside intrusions. Everyone has a price. How does the enterprise protect against the DBA that has gone off the beam, has gambling debts, addictions etc. Companies require people, people have weaknesses. The difference is the insider definitely does not care about the company.

The best article I have seen on this is the following. As a DBA, Elder should read it.

The Threat From Within
http://www.itarchitect.com/shared/article/showArticle.jhtml?articleId=166400792&classroom=

My point is that whether it is innocent behavior or intentional IP theft, the damage can be just as huge.

After reading that article, are you really sure that you would place security as a secondary consideration to possibly offending your employees?

The solution that I would propose would protect against both innocent distractions that might cause various degrees of disruption, and serious cyber breaches that definitely would.

If you go to work at a new company and all you have access to are the files and system calls that allow one to do one's work, than you will not know what you are missing, and you can leave your playtime to after hours at home, where any damage you inflict will be only on yourself, and you will foot the bill.

Just because a total dirth of enterprise internal controls has been the accepted norm in the past does not mean that we should accept that now.

Collapse -

But the problem remains and if anything is worse

by HAL 9000 Moderator In reply to A threat is a threat...

With the Home User with a VPN into the corporate Network. These machines never have the proper level of security and hardly ever run Mal ware or AV Scans even if those products are up to date.

Today for instance I spent the better part of the day teaching one small business owner how to use his I Tunes program which wasn't even within 6 months of being up to date. Now this guy regularly downloads music from peer to peer groups and gets infections by the bucket full. The first job that I did was to run several Mal ware scans and remove all the nasties which had accumulated since the last time I was there all of 2 weeks ago! I had reset the Mal ware scanners to run between 11.00 AM and 2 PM when he was mostly out of the office and every one of them had been shut down while running each and every day!

Now he is fairly computer illiterate so I see this as a learning curve which he wants to do as I can not get him interested in any real work on the computer and he has only recently started to collect his own E-Mails previously he had his secretary collecting these printing off what she though was important and handing him hard copies so he could then dictate a response and his secretary send off a responding E-Mail.

Finally after much telling him just how slow his computer actually was he has agreed ed to let me upgrade it quite a bit a bigger CPU and a lot more RAM but not because he wants the extra speed but because the PCMCIA Video Tuner that I've been instructed to buy him requires it.

I then go to his home and do exactly the same thing on his home computer as he has a VPN directly into the companies Server and if I didn't constantly monitor his home unit he would have the server infected in no time at all. Since he is now collecting his own E-Mail he needs to login to the Companies Server to get his E-Mail which is not something that I designed but inherited the mess from a previous so called "Professional!"

Since I've been working there I've managed to drag then kicking and screaming into some sort of semblance of secure computer usage as previously they had 1 phone line shared by 3 workers and the secretaries for an Internet connection. Their main concern about changing the then setup was that they would have to change their existing E-Mail Addresses so they resisted even though they where incorrect. Since they have switched to ADSL I have now got a router between the outside world and their server which previously only had a Dial-up Modem directly connected.

This is a perfect case of where the staff at this company are caring the owner in making money for the business and while he is quite bright on the business side of things he really has no idea of how the business actually runs all he does is buy the stuff and his staff somehow manage to sell it or he is told that they are getting queries about a piece of equipment and he finds one that will suit the needs of the customer. He still relies on paper and has a whole swag of the stuff lying around about the only consideration to modernizing the business is his Cell Phone which he lives on.

Now that he has the I Pod he is at least beginning to learn how to use the computer at both his home and work. Next I'm going to have to show him how to Rip a CD to MP3 format so he doesn't need to constantly be downloading songs. It's all one baby step at a time.

Col ]:)

Collapse -

Many factors

by loydster In reply to Employees don't care if t ...

This is not just a matter of people not caring if their company goes awry. I think logically, if anyone thought about it, whether they work hard or not, they would want their company to do well, so that they can continue to make a living.

When someone comes in to work, and sits down at their computer, they have the ability to work, or the ability to waste time, 'browsin the net'. No one can tell whether you are being a productive person, or whether you are just wasting time. This can be tempting to many people. It's easy to put of work for a few minutes to check your email. Then just follow a few links your friends sent you. Then check the weather report for that hurricane that is right around the corner. Then it's 5pm, and another day has been spent pursuing 'trivial pursuits'.
It can be hard to self regulate when no one can tell what you are doing.

I don't think it is intentional, but can be more of an addiction. If someone was to step completely out of thier social life in order to stay home and on the internet, they would be labeled an addict. This is not an excuse, however. Shooting up heroin wouldn't be allowed after either. Just another impulse to be controlled. And we humans are good at that?

The internet is still brand new to a human marketplace that has been forming for thousands of years. We have at our desks the equivalent to the Library of Alexandria, only with more information, and more distractions.

I also believe this is will become a moot point. Eventually, we IT folks will have the ability to regulate internet use with more ease and accuracy. As more and more people are aware of the attraction of the internet, and more in touch with how it can damage production, we will be called on more and more to control our infernal devices.

Well, at least we are in charge of ourselves. Only I am monitoring myself as I post this from work. :)

Collapse -

"Not my job" = "not my problem"

by jdclyde In reply to Employees don't care if t ...

Keeping a system working is not seen as a concern for most end users unless something happens that shows THEY are to blame for the problems.

I don't think it isn't that they care if the business fails, as they are not concerned with the business succeding. Their job is to enter xyz into this database, not anything else.

I had a particular user, and her system was crashing all the time in a certain program that she didn't "like". After reloads of the software, checking out the hardware, and then swapping out that PC and the problem would still happen (but not when a tech was on-site to see) we made a report of the 20+ users that use that system, and she is the only one to have this problem. Also showed what was done to resolve her problem and that we had completely elliminated a chance of software or hardware. When her AND her boss saw this report, she mysteriously stopped having this "issue". Hmmmmm.

Collapse -

Unfortunately

by RobRoyNJ In reply to "Not my job" = "not my pr ...

I think most people still don't think about the activities on the internet as having any effect on the business that employs them. It is their search not the companies. I know it seems very obvious to us but I've been at many offices with different staffs and the common assertion is that end users still are surprised by the existence of worms, viruses, spyware on their computer and even more surprised that the sites they went to invited this malware into the system.

End users are worried about getting caught but seem to have very little idea of the harm their actions can bring to a company. Most of these policies are seen as HR policies and not IT policies.

The biggest way to minimize these activities is to remove office walls and laptops. I'm not suggesting this is something a business can do but I've found that the privacy encourages this kind of behavior and may be why some people are citing managers as the ususal guilty parties.

My company used to be great to its employees and is now much more about the short term bottom line and I've seen no chance at all in the behavior employees.

Collapse -

what a bunch of crap

by Ou Jipi je In reply to Employees don't care if t ...

Is the mentioned porn, shopping, blogging, gambling etc. against the company policy? If so, why are these not restricted, to users? (for example proxies, signing active x controls, whatever)

An innocent user installs a worm? Did the innocent user received a PC that is configured to permit user to do so?

What we might be discussing here are badly defined corporate policies in areas of LAN computing and LAN security.

Employees don't care? Well...if you are not doing your job...why should they?

Back to Security Forum
48 total posts (Page 2 of 5)   Prev   01 | 02 | 03 | 04 | 05   Next

Related Discussions

Related Forums