I have several high-level users (Director of Engineering, etc) complaining that they can’t do their jobs without being local administrators on their Windows XP workstations. Every time an issue arises (every three months or so) that they actually require administrative access, I gently remind them of the password to the local admin account I created for them just for this purpose and eventually do it for them. So, they are complaining that “security is getting in the way of productivity” to my boss, who is also non-technical.
My boss tells me, “They’ve been at companies for 25 years that never got hacked. How many businesses get hacked and how serious are the incidents? How much damage could they really do?”. He asks this in a tone that suggests that he does not take security seriously.
I know this is a thorny problem because I have read many times that organizations resist security measures until it’s too late and blame the intrusion on the existing IT administrator. I don’t want to be a victim of a user’s perception. To that end I need data to prove that yes, companies do get hacked, have their data stolen, servers vandalized, and suffer costly downtime. I’ve been using Google to find some of these answers, but I’d like to see if any TechRepublic users might have some particularly juicy bits that I can brandish in my struggle.
Thanks!