Recently we implemented mandatory screen savers for all PC's at work. There were a few systems that we had to exempt from the policy due to legitimate business need. These systems are in secured areas and have limited access by only a few users. The rest of the systems received the policy early last week.
The decision was made to use a common Text based screen saver and allow the user to change the text but not theme of the screen saver. We sent out several messages informing the users of the change and when it was scheduled to happen. The day that it went into effect you would have thought that we took away their PCs and replaced them with an etch-a sketch. All of a sudden no one could work because they would be in the middle of intense computation and all of a sudden the screen saver would kick in and they would lose all of their work. In reality the problem was that they either didn't like having to reenter their passwords or they were upset because they couldn't change the screen saver to something else.
The manager of the help desk is also the one who sent out the emails explaining everything that was going to happen. She is also the one catching the wrath of many of the users. She has been bombarded with calls, emails and visits by people who complain that they can't work or extremely upset because they no longer have pictures scrolling across their screen when the screen saver kicks in. The sad thing about this is that in the past this has worked. A new policy is put into place, the users whine and cry, the policy is rescinded. Fortunately things are different now. Management realizes that the policies have to be put into place whether the users like it or not.
Often management caves to the whims of the user without taking the bigger picture into account. I've seen this in many companies that I've worked for and have heard stories of many others. Management wants the users to be happy, which is important, and security wants them to be secure, which also is important. The important thing is to reach a "happy medium". The point where users are happy and can actually do their job, yet the systems and network are secured. In a company that has a history of allowing the users to make policy decisions it can be a challenge to reach this happy medium.
There are several steps involved in getting past history and to where the company needs to be. It starts with education.
- Management needs to be educated in the need to find balance. They need to understand that users want convenience, ease of use and control over their systems (ability to add programs, manage how it looks and feels, etc).
- Users need to be educated. They are not concerned, at least by default, about security. They push back on most anything that changes how they are able to control their systems. The problem with this is that users are not "secure by default". They don't understand how to secure a system or why "that cool screen saver" they downloaded may just be the back door into the network. They need to understand "WHY" security is important and how it affects them personally.
- Communication of changes MUST happen well ahead of the actual change. All affected parties need an opportunity to think about this and how it may affect them and then ask questions. Maybe they need time to work out new processes to minimize the impact on their jobs without compromising security. This step does not happen just by sending out an email telling that the change is coming. The communication needs to tell them to think (kinda sad isn't it?). Unfortunately many people don't think by default.
- Feedback from users needs to be taken into account to work around issues that may come up. An example from our screen saver issue is we have a few systems that are used by our call centers to view call queues. That is all these systems do so we need to exempt them from the policy while still ensuring that they are secured. Remember, we have to balance security with usability.
- IT/Security has to remember that they do not have the final say on what, when, where, how or why these things happen. Their job is to come up with solutions to problems and convince the company why this is what we need and then work with the business units to make the solution as painless as possible.