Security's Everyman

Security's Everyman

Friday, August 24, 2007

Users don't care about security threats

It seems that most mobile workers think that security should be completely left up to the IT department and that they should be able to do what ever they want. This article from Information Week gives the details.

I saw this earlier in the week but was too busy to really look at it or think about it. It was brought to my attention today as I was looking at this weeks SANS News Bites newsletter. For those of you who aren't familiar with this newsletter typically it has stories about this weeks news and the editors will comment on it. It was one of those comments that got my attention today. After reading the story about how mobile workers think that security is IT's job and that they do things that they know they shouldn't without a care the editors started in. They talked about things like how sad this attitude is and how UA training has failed and how people are just stupid enough (my words not theirs) to believe that they really won the UK lottery or some other something. Then Johannes Ullrich, who is Chief Technology Officer of the Internet Storm
Center, made a stupid comment. He said

Why shouldn't users expect IT to take care of securityy? I think we (IT / Security professionals) expect too much if we expect office workers to worry about security. Perhaps we can ask them not to leave their laptop unattended. But beyond that, it's our job!
Before I start ranting..... He is correct that security is OUR job. That's what we get paid for. But unless companies are going to hire a Security Professional for every worker, to stand behind them and look over their shoulder and physically stop them from opening emails, clicking on links, going to porn sites, installing unauthorized software, etc... then we have to put some measure of responsibility in their hands. Information Security technology can only go so far and do so much. Users have to be responsible for their actions. They have to use common sense and follow company policy. They have to learn to be careful with their actions. It's not their laptop. It's not their data. It's not their company to take such risk with. They need to realize that their compromised machines don't only affect them. The data they lose affects the company, the customers, the investors, the partners. The malware that they install on their machine causes the rest of us to be at risk because of their actions. They should be charged with SWS (Surfing While Stupid) and be taken off the information superhighway. They should, in some cases, be fired or put on probation. Mr Ullrich, and those who promote reckless computer use should be charged as an accessory prior to the fact and given similar sanctions.

When technology gets to the point where everyone surfs in their own little virtual world and they can't hurt others by their stupidity then I will quit promoting quality UA training and will happily let users do what they want. Until then I will continue to promote and practice good security. I will work to make sure the technological controls are in place and the users are trained properly. I will also rant when people make ridiculous comments like this.


planetheidi said...

I'm all for them abdicating all their security responsibility to us... but it will come with a terrible price. Namely, we lock down their computers to the point where they can't even change their wallpaper, everyone must use strong auth, and all actions are closely monitored. I've seen environments like that at large banks. Works pretty well from a security perspective. But given a choice, I'm sure users would prefer to exercise some good judgment with a little freedom.

Rob Lewis said...

Good rant Andy-lotta have-tos though.

Are you sure the end user always understands what is in it for them? I suggested to Mike Murray once that postive reinforcement (rewards) for desired behavior might be more effective and he thought it might be worth thinking about. The easiest way to influence human behavior is not to set rules, but to bribe people. :)

I do not think there is anything wrong with locking down a workplace environment for work. I think a separate recreational network could be set up in the staff room to do personal stuff on breaks etc. If it goes down, the staff will get on the perpetrator's back because they will all lose access.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.