It seems that most mobile workers think that security should be completely left up to the IT department and that they should be able to do what ever they want. This article from Information Week gives the details.
I saw this earlier in the week but was too busy to really look at it or think about it. It was brought to my attention today as I was looking at this weeks SANS News Bites newsletter. For those of you who aren't familiar with this newsletter typically it has stories about this weeks news and the editors will comment on it. It was one of those comments that got my attention today. After reading the story about how mobile workers think that security is IT's job and that they do things that they know they shouldn't without a care the editors started in. They talked about things like how sad this attitude is and how UA training has failed and how people are just stupid enough (my words not theirs) to believe that they really won the UK lottery or some other something. Then Johannes Ullrich, who is Chief Technology Officer of the Internet Storm
Center, made a stupid comment. He said
Why shouldn't users expect IT to take care of securityy? I think we (IT / Security professionals) expect too much if we expect office workers to worry about security. Perhaps we can ask them not to leave their laptop unattended. But beyond that, it's our job!Before I start ranting..... He is correct that security is OUR job. That's what we get paid for. But unless companies are going to hire a Security Professional for every worker, to stand behind them and look over their shoulder and physically stop them from opening emails, clicking on links, going to porn sites, installing unauthorized software, etc... then we have to put some measure of responsibility in their hands. Information Security technology can only go so far and do so much. Users have to be responsible for their actions. They have to use common sense and follow company policy. They have to learn to be careful with their actions. It's not their laptop. It's not their data. It's not their company to take such risk with. They need to realize that their compromised machines don't only affect them. The data they lose affects the company, the customers, the investors, the partners. The malware that they install on their machine causes the rest of us to be at risk because of their actions. They should be charged with SWS (Surfing While Stupid) and be taken off the information superhighway. They should, in some cases, be fired or put on probation. Mr Ullrich, and those who promote reckless computer use should be charged as an accessory prior to the fact and given similar sanctions.
When technology gets to the point where everyone surfs in their own little virtual world and they can't hurt others by their stupidity then I will quit promoting quality UA training and will happily let users do what they want. Until then I will continue to promote and practice good security. I will work to make sure the technological controls are in place and the users are trained properly. I will also rant when people make ridiculous comments like this.