Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

One-Third of Employees Violate Company IT Policies

Zonk posted more than 6 years ago | from the yeah-but-they-were-all-bad dept.

Security 320

BaCa writes with a link indicating that a survey of white collar US workers shows that something like a third of all employees break IT policies. Of those, almost a sixth actually used P2P technologies from their work PCs. Overall, the survey indicates workers aren't overly concerned about any kind of security: "The telephone survey found that 65% of white-collar professionals are either not very concerned or not concerned at all about their privacy when using a workplace computer. A surprising 63% are not very concerned or are not concerned at all about the security of their information while at work. Additionally, most employees have the misconception that these behaviors pose little to no risk to their companies."

cancel ×

320 comments

Sorry! There are no comments related to the filter you selected.

I don't believe it (5, Insightful)

stoolpigeon (454276) | more than 6 years ago | (#21188499)

I'm guessing a more accurate headline would be: One-Third of Employees Admit to Violating Company IT Policies
 
The rest just didn't let on - because there is no way the number is that low. Or they didn't outright lie, they just didn't even know they had violated company policies.

Re:I don't believe it (1)

jdoss (802219) | more than 6 years ago | (#21188531)

That pretty much sums it up. My first thought to post here was "One-third my ass."

Re:I don't believe it (5, Funny)

Anonymous Coward | more than 6 years ago | (#21188563)

Hell, I'd be happy if 1/3 of our employees could even name all of the IT policies they were breaking.

Re:I don't believe it (1)

c_woolley (905087) | more than 6 years ago | (#21188699)

I'd be happy if one-thrid of ours could spell IT...

Re:I don't believe it (2, Insightful)

Anonymous Coward | more than 6 years ago | (#21188701)

Believe it. IT breaks the most policies because they don't get in trouble and then blame non-IT personnel for doing what they do. I know I used to do it as IT. So don't blame employees. I wouldn't be surprised to see numbers on IT employees and have it show 99% break those policies they themselves enforce!

Re:I don't believe it (4, Interesting)

33MHz (897295) | more than 6 years ago | (#21188843)

Couldn't agree more. As part of a development team that works in the same room as the IT team, I sometimes think about what they are doing on a daily basis, and the rules they enforce for the rest of us mere mortals seem completely pointless.

I often need third-party libraries when I'm developing my software so I just get them off the Internet (sometimes virus checking them if I remember). If I followed the rules to the letter, I wouldn't download the libraries. But I don't follow them, so by using this software that nobody is "approving" I'm breaking the rules.

But when did our security manager review the source code for Windows XP to make sure it's OK?

Admit it (1)

blueZ3 (744446) | more than 6 years ago | (#21189125)

you'd be happy if 1/3 of your company's employees knew that there was an IT policy. Heck, if they even knew what the IT department WAS.

Re:I don't believe it (1)

Atriqus (826899) | more than 6 years ago | (#21189131)

Looks like our situation is much better; 3/3 of our department can name the IT policies we're breaking... but that's not completely fair of a comparison since we are the IT department. :)

Re:I don't believe it (1)

WiiVault (1039946) | more than 6 years ago | (#21188585)

Seriously, how many people don't realize that checking AIM or listening to web radio is prohibited? Few I would imagine.

Re:I don't believe it (1)

thebear05 (916315) | more than 6 years ago | (#21189043)

The real question is why is it prohibited ! Bandwidth ? Security ?

Re:I don't believe it (1)

facon12 (1128949) | more than 6 years ago | (#21188615)

Agreed, i work for an ISP and ive found that most people simply don't know what the policy is. How many people really read the entire employee handbook unless they have gotten in trouble. More than that how many can remember 5 things from it that don't have to do with getting paid?

Re:I don't believe it (5, Funny)

vertinox (846076) | more than 6 years ago | (#21188623)

Or they didn't outright lie, they just didn't even know they had violated company policies.

I don't know how many times a conversation went like this:

Me: Whats your user name?
User: Its u2343 and my password is "bobspassword"!
Me: Wait! ARRRRRGH! Don't tell me that! I'm not supposed to know your password, I just wanted your user name!

Re:I don't believe it (3, Funny)

Anonymous Coward | more than 6 years ago | (#21188717)


Me: Wait! ARRRRRGH! Don't tell me that! I'm not supposed to know your password, I just wanted your user name!


Me: Sigh. Please change your password. Please don't share your password with anyone, including IT staff.
User: Ok, now I changed it to 'bobspassword2'.
Me: ARRRRG!

Re:I don't believe it (0)

Anonymous Coward | more than 6 years ago | (#21188805)

I worked at a place that used a secret phrase to identify yourself:
Me: What's your user name? User: umm...SexyChick --- (male voice) Me: What's your secret phrase, please? User: My password? it's- Me: No, I mean the phrase you chose to identify yourself, it could be a cat's name or family name. User: Are you sure you don't want my password? Me: No, your secret phrase, just to verify your identity --- (I haven't looked up his account yet, but I'm bringing it up now....) User: Well, I didn't know, um.. 'I Love C*ck'

Re:I don't believe it (2, Insightful)

Otter (3800) | more than 6 years ago | (#21188697)

Also, if I'd been surveyed as to whether checking webmail is "risky", I'd also have said that it isn't. It's certainly not "risky" on the level that downloading and running some P2P application is; it's not even dangerous on the level that requiring 20 different, complex, constantly changed passwords is.

Re:I don't believe it (4, Insightful)

ewhenn (647989) | more than 6 years ago | (#21189273)

it's not even dangerous on the level that requiring 20 different, complex, constantly changed passwords is.



Personally, I find that this constand password actually *lowers* security. I would like to present myself as an example. We have to change our passwords to something with 3 of 4 items (CAPS,lowercase,numbers, and Special characters). We are required to change our password monthly. So instead of having a nice secure password like "jd%2MdEP!7rqA" that I can remember say... once a year.. I just do something like "Aotepad1"..next month "Botepad1"...next month "Cotepad1" so I can remember the damn thing. Each application requires it's own password, so requireing the average user to constantly change them is going to make them go with poor password choices instead of strong ones.

Sometimes too much "security" is weaker security.

Re:I don't believe it (2, Insightful)

dnormant (806535) | more than 6 years ago | (#21188775)

What's sad where I work is it's the helpdesk and desktop administrators that are the worst. We have Websense to block the inappropriate web sites. Then they learned they could VPN in and that basically goes around Websense. Now they're tying up my firewall AND my VPN router.

I already block all p2p, now I'm going to have to block music and video sites too. I don't care what is appropriate or what isn't, I'm tired of my boss asking me why the Interweb is slow.

It sucks being the bad guy but I like my job.

Re:I don't believe it (1)

COMON$ (806135) | more than 6 years ago | (#21188933)

Your firewall should allow for rule schedules, obviously there is no need for you "techs" to vpn during work hours unless they are in the field. Or just disable VPN from behind the NAT. From one natzi admin to another the IT staff will always be your worst customers at policy compliance.

Re:I don't believe it (1)

Fulcrum of Evil (560260) | more than 6 years ago | (#21189141)

Because techs never work from home...

Re:I don't believe it (1)

COMON$ (806135) | more than 6 years ago | (#21188861)

Because if you are a good admin, the use is incapable of violating your policies. Outbound port locks, packet monitoring, AD policies....ahhhh to be a natzi but who has that kind of time ;)

Re:I don't believe it (1)

MikeDirnt69 (1105185) | more than 6 years ago | (#21188951)

Well... considering that the fat guy on a big chair is the first one to break the rule (and this is a fact on most of the companies), the low-salary IT crowd don't get too motivated to follow the rule.

Re:I don't believe it (1, Insightful)

Anonymous Coward | more than 6 years ago | (#21189235)

The rest just didn't let on - because there is no way the number is that low. Or they didn't outright lie, they just didn't even know they had violated company policies.

Some of us just cover our tracks very well.

really? (1)

Dance_Dance_Karnov (793804) | more than 6 years ago | (#21188501)

only a third?

Only one third? (1)

Reality Master 201 (578873) | more than 6 years ago | (#21188509)

Bullshit. Maybe 1/3 are dumb enough to cop to it.

Perhaps you've got it backwards and only 1/3 don't violate IT policies. And even that sounds light.

Re:Only one third? (1)

ivan256 (17499) | more than 6 years ago | (#21188831)

1/3 admit to it.... The other 2/3rds don't even know what the policies are in the first place.

Re:Only one third? (1)

arivanov (12034) | more than 6 years ago | (#21189113)

1/3 admit
1/3 lie
1/3 does not give a f**k

About right by the look of it.

Not that IT does not deserve it.

Any stupid, prudish, paranoid or sometimes outright insane request can become a policy item in a matter of minutes.

Example (happened to me). A new HR director comes in horrified wanting to talk to you how do you dare not having a content filter to stop inappropriate content from being viewed.

The usual IT professional goes and implements it straight away. The fact that nobody is viewing it in the first place and there is a stack of Daily Express and Sun in the dining room is ignored for some reason. Guess it is OK to download softporn from the newsagent, but not OK to do so from your PC. And so on.

Result - new policy item and new expense item on the IT budget sheet.

Re:Only one third? (1)

KillerCow (213458) | more than 6 years ago | (#21188869)

Maybe 1/3 are dumb enough to cop to it.


No, 1/3 actually know that they are breaking policy. The other 2/3 don't realize that checking their personal email, reading a non-work-related site, or taking files home is a policy violation.

of course (2, Insightful)

Vanden (103995) | more than 6 years ago | (#21188519)

I think most of us could've told them that without all of the silly research.

Seriously though, for most people, unless they know there's a risk of being fired if they don't comply, chances are that they're not going to care about corporate IT policies. Most companies don't actual police them, so what benefit do they have in following them?

While people should be responsible enough to do what their job requires, it falls back on the corporate IT folks to make sure their policies are enforced.

Re:of course (0)

Anonymous Coward | more than 6 years ago | (#21189275)

where I work we routinely pass around images, figures, and datasets as email attachments.

Our IT group thinks 10MB is enough email space, and charges $1/MB if we go over.

GMail is free.

I routinely see people using gmail for government business . . . because the government rates for email storage have not kept pace with todays academic lifestyle.

only 1/3? yeah right. (1)

twoboxen (1111241) | more than 6 years ago | (#21188565)

For every company that I've worked, there has always been a "proper use" policy for PC usage. None of them allow the web e-mail, StumbleUpon, Slashdot, Digg, and/or Reddit time that nearly ALL coworkers I've seen use (with me, I use all of them most of the day. They should give me work that I've been requesting. Small tasks do nothing to fill 8ish hours.)

Lol (5, Funny)

jayhawk88 (160512) | more than 6 years ago | (#21188579)

Of those, almost a sixth actually used P2P technologies from their work PCs.

In other news, one sixth of one third of all IT admins are stupid enough to not block P2P traffic on their networks.

/Actually/? (1)

ivan256 (17499) | more than 6 years ago | (#21188789)

They say "actually" like it's so unbelievable.

I regularly use bittorrent to download work-related files at work. And it's not against IT policy at all. Imagine that.

What they don't say (5, Interesting)

kpainter (901021) | more than 6 years ago | (#21188583)

There are a lot of really stupid IT policies out there that, in the name of security, in fact merely hinder getting work done. I am not talking about P2P. Giving a developer a workstation with a user account with no administrator privileges on Windows is among them.

Re:What they don't say (2, Insightful)

ruewan (952328) | more than 6 years ago | (#21188625)

I agree with you totally. There have been so many times that stupid policies made it difficult for me to get my work done. It is often easier to find ways around the security than to go through the proper channels. I had to do that a lot in my last job.

Re:What they don't say (5, Insightful)

moderatorrater (1095745) | more than 6 years ago | (#21188793)

What I've noticed more of is that there's the "Company IT Policy" (tm) and the actual acceptable use policy. On paper you're not allowed to put any personal files on the computer, browse any non-work-related sites, or use a messenger client. In reality, you can bring in your own music or any work-related programs as long as you take the flak for illegal things, browse sites but only for a reasonable amount of time, and the same for messenger.

Re:What they don't say (1)

Volante3192 (953645) | more than 6 years ago | (#21188815)

Course, then there's the opposite extreme where the policy is 'just give them admin if they have a small issue.'

Then there's no issue...but then they start breaking things and downloading fun toys and as a consultant I have no authority over making policy (only suggesting and implementing) and they don't care enough to put in their own and I have to deal with retards whining about "WHY IS MY COMPUTER SLOW?" and have to spend 5 hours cleaning up MyWebSearchToolbar, New.Net and fuck all else...

Least it's job security to some extent.

Re:What they don't say (1)

CrazedWalrus (901897) | more than 6 years ago | (#21188877)

That's the situation I'm in right now. IT Security where I work is very good at what they do, to the point of approaching "unplugged, in a box, encased in concrete, and in a locked vault" secure. Unfortunately, the machines are also about that useful.

Re:What they don't say (0)

Adambomb (118938) | more than 6 years ago | (#21188935)

I'm not in the IT department of my current company, but I have seen situations in the past where devs were given complete control of their local machines. The number of devs who think they are specialists in everything because they're specialists in their fields was mind boggling.

Now, not having a resonable procedure for dev's to request additions to their image with short turnaround IS ridiculous for developers, but giving each individual dev admin locally will eventually end in disaster (especially if you have to have proven control over lines of communication in and out of the company and such).

Re:What they don't say (1, Informative)

Anonymous Coward | more than 6 years ago | (#21189051)

There are a lot of really stupid IT policies out there that, in the name of security, in fact merely hinder getting work done. I am not talking about P2P. Giving a developer a workstation with a user account with no administrator privileges on Windows is among them.

Depends on the kind of developing you are doing. There are many IDEs and testing suites that don't require local admin access.

On the other hand, if you're writing ethernet drivers, you can't test that on real hardware without admin access.

Re:What they don't say (0)

Anonymous Coward | more than 6 years ago | (#21189203)

How about you devs stop disabling virus checking, installing God knows what, and actually do your compiling? Half of these complaints are just a "my penis is bigger than yours" I need admin rights type of thing. gcc can build files without you having admin rights on the box, just fine.

When I first starting my job, I'd come across developer machines that were removed from the domain, not running virus scan, had antispyware turned off, not using our corporate image anymore. I'd spend hours cleaning this up, of course knowing my work would be undone as soon as I walked away. Now, I enjoy my job a lot more. I pretend like I didn't notice it (thats funny, our admin account doesn't work...) and report them to security. Nothing like watching a developer handed a box and told to get out to turn my frown upside down!

Re:What they don't say (1)

Some_Llama (763766) | more than 6 years ago | (#21189219)

"Giving a developer a workstation with a user account with no administrator privileges on Windows is among them."

Why would you give a developer a domain system with administrative purposes?

Why not a domain system with a local account that has admin that he can use when testing.. or require development work to be done in a VM session where they control their own permissions?

Why subject the security of the whole network to one user's practices?

I don't want to have to continuously troubleshoot why a system is being knocked off the network because this developer decided to use a computer name that already exists, or knocks production systems off line because he happened to enable DHCP and is now accepting requests from test servers... (to name a couple of examples)

Re:What they don't say (1)

Ohio Calvinist (895750) | more than 6 years ago | (#21189225)

On the other hand (if I may play the devil's advocate), it might actually force Windows developers to code applications that flip out (under limited accounts) because they just "assume" you have full-unconstrained use of the system. :)

I can't list how many times when I was in desktop support/Active Directory admin gigs where I couldn't drop the boom on all kinds of asshattery because there is "this one (poorly written) business critical application." (Why a terminal emulator needs local admin is beyond me to begin with... thanks Datatel).

Re:What they don't say (0)

Anonymous Coward | more than 6 years ago | (#21189247)

Giving a developer a workstation with a user account with no administrator privileges on Windows is among them.

Sadly, sometimes Developers with 'admin privledges' are most likely to have a ton of malware on their system.

Last place I worked at, the Windows admin quit (Screaming "I don't do desktop support!" as he left)) and I had to step in for a few months.

All seven developers had several viruses on their systems, claimed to know nothing about the 'porn downloaders' on their system and would download tainted versions of Photoshop over Kazaa (They weren't aware of the retail box with the a legitimate copy of Photoshop sitting on a bookshelf 20 feet from their heads).

I don't want to get in the way of a developer's efficiency, and I strongly prefer a 'hands off' approach for corporate IT. However, their ignorance was simply amazing.

When Policies are set by PHB's and you need to by. (1)

Joe The Dragon (967727) | more than 6 years ago | (#21188601)

When Policies are set by PHB's and you need to bypass them to get work done then that is something that should be fixed. Also another thing is password rules that make people write there pass word down on paper are worse then passwords that don't have as many limits on them.

Re:When Policies are set by PHB's and you need to (2, Informative)

Gibble (514795) | more than 6 years ago | (#21188755)

Pick something you can remember. The simplest way to have mixed case, alpha numeric password with punctuation, is a sentence that you can remember. "Today, a coffee cost $1.99 + TAX!" Secure, simple to remember, and passes all the validation you want to throw at it.

Re:When Policies are set by PHB's and you need to (1)

Joe The Dragon (967727) | more than 6 years ago | (#21188813)

And what about the rules saying that you have to change your pass word and you can't use part of your last few passwords.

Re:When Policies are set by PHB's and you need to (1, Funny)

Anonymous Coward | more than 6 years ago | (#21188881)

Easy. Add inflation to his sentence.

Re:When Policies are set by PHB's and you need to (1)

Some_Llama (763766) | more than 6 years ago | (#21189255)

"And what about the rules saying that you have to change your pass word and you can't use part of your last few passwords."

typically to stop people from using "password1, password12, password123" or "password1, password2, password3"?

Re:When Policies are set by PHB's and you need to (4, Funny)

Otter (3800) | more than 6 years ago | (#21188991)

"Today, a coffee cost $1.99 + TAX!"

And is that the phrase for the for the dental plan password, the diversity training registration password, or the office supply purchasing password? Or an older phrase for one of them, as each one needs to be changed (out of sync!) 6 times a year.

Re:When Policies are set by PHB's and you need to (1)

Gibble (514795) | more than 6 years ago | (#21189295)

You can't remember more than one password? And honestly, isn't it easier to remember several phrase than several cryptic password like "41!ap*17ARK"?

I'm just suggesting, a simple solution to strong passwords that are also easy to remember.

As a side note, if there are three systems, keep the passwords the same, while they may get out of sync, you should only need to remember a couple at a time.

If IT hasn't bothered to integrate the systems to use a single login, they aren't going to bother checking that each system uses a different password.

Re:When Policies are set by PHB's and you need to (1)

CBravo (35450) | more than 6 years ago | (#21189199)

Oh come on. I have to type it every 20 minutes because I cannot get putty to save things in the registry to aid automated login. I keep it short and stupid, like the security regime.

Passwords like ASDF12#$ and Welcome22@@ are easy on my wrists.

Unreasonable Policies (5, Insightful)

bazald (886779) | more than 6 years ago | (#21188609)

Some policies just aren't reasonable or well thought out. This article is clearly blowing the issue out of perspective by not separating out different behaviors.

Checking personal e-mail from a work computer-- 73% of those who have done this at work believe it is not risky, despite the fact that they could unknowingly download a virus that infects the corporate network.
Wow, really? I'll stick to those corporate virus-free e-mail accounts from now on. Are they also completely free of spam? That would be nice too.

Re:Unreasonable Policies (1)

kpainter (901021) | more than 6 years ago | (#21188671)

Of the major network screw-ups I can remember where I work, all of them were caused by IT pushing out a rule or utility over the network that exploded on the pad. When this happens, nobody seems be held accountable.

Re:Unreasonable Policies (2, Interesting)

Maxo-Texas (864189) | more than 6 years ago | (#21188687)

Virus's through Outlook in the last 5 years: over 20 (including 7 PDF's this week)
Virus's successfully deployed to my desktop over the last 5 years: 3 (apparently from laptops plugged into the network without being scanned). The PDF's would have deployed if I had been not been suspicous of getting a PDF from a stranger.
Virus's through hotmail in the last 7 years: 0
Virus's through gmail in the last 2 years: 0
Virus's through through Yahoo in the last 3 years: 0

---
Documents that were not documents BLOCKED by corporate virus scanners: At least a dozen.

Re:Unreasonable Policies (1)

Kjella (173770) | more than 6 years ago | (#21188865)

Personally I think that one has about 99% to do with employees wasting time and 1% with to do with security. Most serious companies I know have a virus scanner running on downloaded files, which I assume is the same one running on e-mail attachments. It's just part of my job to download executables from time to time, and usually I'm allowed to even from companies blocking webmail...

Re:Unreasonable Policies (1)

UdoKeir (239957) | more than 6 years ago | (#21188885)

A friend of mine who worked for a major bank had webmail blocked by her IT dept. They claimed it was for Y2K reasons. I couldn't begin to explain what was wrong with that excuse.

My company's IT dept blocks HTML attachments in email to "prevent viruses". They appear ignorant of the fact that email can be formatted with HTML, or indeed that I have a little program on my desktop designed specifically for downloading HTML files direct from the web.

Re:Unreasonable Policies (2, Insightful)

WK2 (1072560) | more than 6 years ago | (#21189027)

Some policies just aren't reasonable or well thought out.

Exactly. Most corporate policy lists are like U.S. laws. Excessively numerous and impossible to follow. If you tried, you might get fired not completing your work at the speed of your co-workers. When I was young and naive, a manager actually told me that I can't follow all the policies, and that I just had to do my best to obey what I could, and not get caught for the rest.

I've heard it said that corporate policy exists so that management can point blame wherever they want when something goes wrong, because everybody is breaking the rules. That would be in common with U.S. laws.

And then there is 1/3 ordered to violate.. (4, Interesting)

Maxo-Texas (864189) | more than 6 years ago | (#21188643)

by executives to make unrealistic deadlines which they decided without IT input.

I think it's more like... (1)

kabocox (199019) | more than 6 years ago | (#21188657)

I think it's more like 1 out of 100 of employees actually obey company IT policies. The more management or IT that you are the more that you are liable to freely break IT policies as well.

Re:I think it's more like... (1)

tftp (111690) | more than 6 years ago | (#21188859)

The sad part is that this one employee who does not do anything bad probably does not do anything good either. It is a completely bland person with no interests, no curiosity, and who is even afraid to do something minor and be responsible for that. This is the kind of person who warms his chair for 40 hours per week and collects a paycheck. There is place for those people - a security guard maybe, or a help desk operator, but not in positions that require open mind and power to make decisions.

It's a cat and mouse game with IT (4, Insightful)

rrohbeck (944847) | more than 6 years ago | (#21188669)

Blacklists=>Proxies
Traffic filters=>TOR
etc. etc.

But the real problems are still caused by moron employees who double click on an attachment they got via email. Just happened again last week. The problem isn't people who don't adhere to policies, it's employees who don't have a clue.

And what's wrong with reading Slashdot while you're slacking off with a coffee for a couple of minutes? I'd consider an employer a slave driver if they have a problem with that.

Only One Federal Employee IS (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21188681)


    a WAR CRIMINAL [whitehouse.org]

Re:Only One Federal Employee IS (1)

Pojut (1027544) | more than 6 years ago | (#21188795)

Kilgore Trout, is that patRIOTically you?

NO (0)

Anonymous Coward | more than 6 years ago | (#21189173)


I am Donald Trump.

So much not said (1)

frovingslosh (582462) | more than 6 years ago | (#21188705)

I would find it more interesting to know what policies are being broken, and what percentage of those are either extremely lame or actually downright dangerous to the company (I have a friend who is required to use IE and Outlook for example).

The other 2/3rds are not doing work (1)

sheepofblue (1106227) | more than 6 years ago | (#21188739)

Most policies are written for a very focused set of activities by a group of people that have no idea how others do their jobs. In many cases they also have no clue on how to do IT either as that layer is busy working. So like absurd laws they generally get the respect they deserve and compliance follows. For example I worked at a company that limited printing so bad that to print out work related documents one of our support people had to bring his laptop to our laser printer and jack in, his did not let him print from the partition he had the work on (it needed to be there because of the IT setup) Further he could have emailed it but they would bill his department by the KB. After that do you really think he cared about thier rules?

Re:The other 2/3rds are not doing work (1)

King_TJ (85913) | more than 6 years ago | (#21189223)

Yep! I've always done system administration from the viewpoint that the computers are there as TOOLS for everyone to use. By the very nature of computing, you can't expect to make almost any specific, hard and fast rules that cover all scenarios. It's a constantly moving, evolving target.

You block a range of ports on the firewall because "bad app X uses them, and we don't want bad app X running!"? Next thing you know, it breaks 3 other legitimate apps people need to be more efficient in the workplace.

You THINK you understand when, where and how people need to do printing? I guarantee you missed something.

I think the best compromise between "security" and "usability" is to deploy the common sense measures everyone can agree offer benefits. Install a good anti-virus solution, centrally managed if possible. Set up some sensible security restrictions on some of the shared folders on the network. Run a decent web filtering solution that blocks known "not work safe/related" sites - but generally err on the side of accessibility, rather than locking it down TOO tightly. (If an employee is constantly surfing sites they shouldn't be on, that's a MANAGEMENT issue - not a technical one, ultimately.) In a Windows network, group policies are very useful too. Again, don't go crazy locking things down - but enforce a few things, like a reasonable default cache size for Internet Explorer and a screen saver that kicks off after, say, 10-15 minutes, password-protected. And lastly, I've had great luck using 3rd. party spam filtering services for email. (Why struggle and spend valuable system resources trying to do that yourself? Many ISPs and other services will offer it, site-wide, for maybe $40 a month or so.)

most employees... (1)

Threni (635302) | more than 6 years ago | (#21188741)

> Additionally, most employees have the misconception that these behaviors pose little to no risk to their companies."

Most employees have the misconception that the highly paid tech guys who run the networks and administer the PCs are capable of ensuring the whole system is secure. The inconvenience many people encounter getting their work done, what with locked down PCs, blocked sites and patronizing policies, they imagine, surely means that any site I can visit, or email I send/receive, is ok. Otherwise, why bother?

Re:most employees... (5, Interesting)

ivan256 (17499) | more than 6 years ago | (#21189021)

I've actually tried this little social experiment.

I run the network for my mother's company for free, so I'm allowed whatever liberties I'd like in deciding policy instead of having it dictated by a boss. They've got over 20 machines, and they aren't formally assigned, so if one goes down it's not the end of the world, the employee can use one at another desk for awhile. Usually they use the same one every day though.

The experiment was this:

Four new employees. Four new Windows XP Professional PCs. All use Firefox for a browser and Thunderbird for e-mail, along with the proprietary manufacturing/sales app that they run their business with. Two machines got Symantec anti-virus, and the other two got no anti-virus. They were told that since we don't have a copy for that machine, they'll just have to be extra careful about what documents they open, and how they use their e-mail. (We really were out of licenses/subscriptions, which is how this started)

After three months, both of the AV-free PCs were completely fine, and one of the machines that had the anti-virus was running a botnet spammer (the outgoing spam was being blocked by the firewall). The most amazing bit though, was that the fear of not having anti-virus protection had stopped users of those two machines from doing most of the non-viral bad stuff that average windows users do. There was no proliferation of toolbars, no weatherbug.... They didn't even have realPlayer.

It's amazing what a false sense of security people get from running anti-virus software. They don't even realize that they still have to be careful because 0-day threats aren't in the latest virus definitions yet. They think they can do whatever they want, because they are protected.

The whole company has since gone anti-virus free on the desktop, and problem reports and performance complaints have dropped way down. Education and a healthy dose of respect for the evils of the world work better than any anti-virus on the market. And the cost savings are nice too.

(There is still some basic protection in place. All internet access is through a secured web proxy. Non-http traffic isn't allowed. Intrusion detection on the firewall, etc... And the servers are still scanned, AVG on the windows servers, chkrootkit on the linux servers.)

So what's the % for IT employees? (1)

suppo (267896) | more than 6 years ago | (#21188761)

Since 1/3 is for all employees, I'm venturing the % is over 90% for IT employees behind the cypher locks. And anyone reading this from work sure is.

"Used P2P technologies" (0, Troll)

amorsen (7485) | more than 6 years ago | (#21188829)

"Of those, almost a sixth actually used P2P technologies from their work PCs."

Ooohh scary. I guess I'll be testing Fedora 8 later than expected, since using bittorrent for fetching it is now completely out of the question. Except that the company policy luckily does not forbid using "P2P technologies" where I work.

Hell, most companies aren't concerned... (2, Interesting)

msauve (701917) | more than 6 years ago | (#21188845)

with the privacy of their employees. Case in point, mine provides my Social Security number to third parties, against my express direction, with absolutely no business need, and in direct violation of their own written privacy policy.

Where I work... (5, Interesting)

Toreo asesino (951231) | more than 6 years ago | (#21188847)

...there's a very relaxed IT policy.

Browse whenever you want, take whatever software you want home, check your email if you want, everyone's their own local admin, no audits.

However, if you get caught with illegal software, miss a deadline because of blatant time-wasting, then you get fired (for continuous abuse). People work not because of policy, but because they want to do well and enjoy what they're doing.

I happen to also work in one of the biggest names in IT too....not some small company. The policy works very well, as is evident from the company's success and the fact people rarely leave. That and brain-implants, anyhow.

let me guess (1)

biscon (942763) | more than 6 years ago | (#21189313)

you work for Microsoft? ;)

In soviet Amerika, policy violates you! (0, Troll)

fred fleenblat (463628) | more than 6 years ago | (#21188863)

I get annoyed when a company violates MY policies.

* tracks my personal info, e.g. name, address, phone, email, shopping habits
* tries to limit my freedoms with invasive EULAs
* goes with cheap/easy IT choices that make them a prime target for bots, spam, and virus
* spreads FUD about competitors when the competitors are actually better
* tries to sell me a $2,000 product that I can do myself with a shell script
* tries to lock up my data in their proprietary format

If my installing linux or using an "unapproved" email client upsets someone in IT, that's because THEY are in the wrong not me. I'm not responsible for someone else's shortshighted policies, in fact I have a civic duty to violate them in the most flagrant and obvious way, to shed light on their stupidity.

Re:In soviet Amerika, policy violates you! (0)

Anonymous Coward | more than 6 years ago | (#21189037)

Exactly, Once, Firefox which was Installed on my computer by the IT staff got a Windows error that "The operation you have requested has been blocked" later it got removed, I can't stand IT staffs that are dumber then the average slashdot reader, most of the comments that are even marked troll are better then most IT staffs.

Re:In soviet Amerika, policy violates you! (1, Troll)

iknownuttin (1099999) | more than 6 years ago | (#21189069)

If my installing linux or using an "unapproved" email client upsets someone in IT, that's because THEY are in the wrong not me. I'm not responsible for someone else's shortshighted policies, in fact I have a civic duty to violate them in the most flagrant and obvious way, to shed light on their stupidity.

You still have a job?

Re:In soviet Amerika, policy violates you! (0, Flamebait)

bigstrat2003 (1058574) | more than 6 years ago | (#21189151)

Wrong. Any company, no matter how retarded their IT policies are, has the right to run their company the way they wish. If you don't like it, you are, of course, well within your rights if you choose not to work there. If you want to get the policy changed, that's your right too.

What you do not have is a "civic duty" to break the rules set down by your employer. Go ahead and do so, I don't care, but don't make yourself out to be a hero because you're doing it. You aren't. And this isn't even getting into how some of the "violations" you list are ridiculous, and are also well within a company's rights.

Re:In soviet Amerika, policy violates you! (2, Informative)

Jhon (241832) | more than 6 years ago | (#21189307)

If my installing linux or using an "unapproved" email client upsets someone in IT, that's because THEY are in the wrong not me.
There are countless examples available, but lets just focus on one you provided: your 'unapproved' email client.

*YOU* are in the wrong. This is true if *YOU* are not paying for the hardware. This is true if you do not pay the support staff. It is not up to an employee to dictate what services a companies IT department will support -- that's up to management (hopefully with IT input -- but certainly not final say-so).

We have limited budgets. I don't want to require that my staff knows eudora AND pine AND OE AND outlook AND thunderbird AND xyz AND abc AND fillintheblank. By making everyone use the same email client (or limited set of clients), you reduce training costs and quite frankly, you eliminate the user shooting themselves in the foot. YES there are some users who are quite able to troubleshoot for themselves. BUT, try telling Bob the luddite he can't use thunderbird (something he may have never used, but likes the way it looks) when Lennie The Linux Master two desks down is running pine!

Simple solutions for companies who don't want silly and frequent helpdesk calls: Keep the workstations as uniform as possible within the scope of work any given employee is required to complete. Feel free to start your own business if the company rules don't appeal to you.

stupid IT - silly rules. (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21188879)

It's pretty obvious when you work in a company with an R&D department filled with people that have a higher education and competence than most of the IT staff, combined with a paternalistic attitutude of the IT staff (to hide their own limited knowledge) that R&D will no longer bother to file obvious requests to IT to get basic tasks done, but instead will use all kinds of backdoors to get these tasks done fast and easy in order to allow them to focus on the real challenging work they are hired for.

It's not perfect, but it's reality :-/

and yes, I'm posting as an AC here.

Leverage (1)

Jonny 290 (260890) | more than 6 years ago | (#21188893)

In my experience, the "IT policies" of a company are generally so restrictively worded that they'll catch almost any individual at some point in time for a "policy violation." They are rarely enforced as a matter of practice or true benefit to the company's security and IT performance, but provide excellent leverage against employees who are under the hot lights for unfireable offenses. Simply whip out that pattern of browsing Myspace, whip out the IT policy, and have them sign their resignation letter right there.

Bing... Bing... Bing... (1)

Belial6 (794905) | more than 6 years ago | (#21189231)

And that is the answer that most people miss. I would say that frequently, even if an employee wanted to follow policy, they could not because their jobs actually require them to violate the policies.

This is not limited to IT policy though. At 2 of the last 3 jobs my wife had, she would be told by her manager that they didn't care how she got a new copy of documents dated three days early, but that she better do it. It was obviously an instruction to not only violate policy, but the law. Of course the firings for following policy generally could be described as "encouraging to quit". These kinds of instructions are common outside of IT, so I can't understand why anyone would expect IT to be any different. Oh, that's right, it's on a computer. ;)

How is it so "risky" (1)

webmaster404 (1148909) | more than 6 years ago | (#21188903)

How is checking your e-mail, downloading software or using P2P software "risky"? The number 1 rule for all corporate networks is that you lock down your network, at home the most someone could really do is install a bot and make you send out spam messages. At work, your machine should at least have a network-wide firewall, up-to-date antivirus if its a Windows machine, and an under-privileged account if its Windows or Linux. But if everyone switched to Linux, none of it would really be a problem. But seriously, it poses little to no risk to a properly configured machine, nearly non-existent if your not using Windows. Because checking your E-Mail, web based through Firefox or Through POP with Thunderbird (or anything thats not outlook) as long as you don't download any binaries, your safe. As for spyware, just use Firefox, that takes care of most "drive-by-downloads" that IE has and those are the number 1 cause of malware. As for P2P as long as you have a decent firewall and don't download anything of questionable legality, the most it does is use up bandwidth which most ordinary workers won't even feel and most smaller ISPs allow you infinite bandwidth.

OpenVPN... (0)

Anonymous Coward | more than 6 years ago | (#21188911)

OpenVPN + Colo'd Linux Server with SQUID Proxy = The Awesome

Re:OpenVPN... (0)

Anonymous Coward | more than 6 years ago | (#21189187)

I was canned for a similar setup (SSH tunnel + colo'd linux with squid).

Pro tip: Don't try this from any place which has even a single person working network security full time. They will notice.

This is bad for a surprising reason (1)

zappepcs (820751) | more than 6 years ago | (#21188929)

It is bad, first because as mentioned, that number is low. Second because they violate them because they CAN. IT security is nearly as futile as the war on drugs. Its current incarnation does nothing to reduce the demand, nor does it adequately address the problem.

In the workplace, the employer (owner of the IT infrastructure) has a duty to inform employees how the tool(s) are to be used and what is mis-use. Additionally, the stick and carrot method is not appropriate. If you catch your child using your favorite pair of pliers to hammer a nail to hang a picture, you do not scold them and tell them to not hang pictures. You provide them with a proper hammer and some education on how to use it properly as well as assistance in hanging the picture, along with perhaps a discussion of what is appropriate kind of picture to hang on the wall of their room.

Employers are faced with a new world regarding these IT tools, and to ignore the natural desires of people is to ignore their own security. I fully endorse the policy of allowing some things, such as Internet radio, or checking news sites. If that uses too much bandwidth, funnel such traffic through a proxy to a bandwidth limited connection. Separate your company traffic from benefit traffic. Lock all connections down with security and virus scanning etc. but do not use the stick and carrot... it does NOT work, will not work, cannot work.

Firefox violated IT Policies (1)

hansamurai (907719) | more than 6 years ago | (#21188939)

Two years ago I received an email from IT informing me that I was using the application Firefox and that a "major security vulnerability" had been discovered. They told me I had to use Internet Explorer as it was "much more secure".

Whether or not IE was actually more secure on our network isn't really the point, but I still had a great laugh out of it. I simply updated Firefox and that took care of that, never heard from them again about it.

Re:Firefox violated IT Policies (1)

TheDrewbert (914334) | more than 6 years ago | (#21189033)

I was told by my PHB that I wasn't allowed to use Firefox because a security vulnerability had been found and handed me a printout of the article. I forget which one it was, but it had something to do with phishing scams. I told him that I wasn't dumb enough to fall for phishing scams and if I did it wouldn't be hurting the company anyway. This is the same guy who went ballistic because my iTunes library file (not the actual,legal, MP3s, those were on my C drive) was on the network and taking up 4megs of space. He actually went to the president of the company about this. He was just looking for a reason to fire me because I reported his sexual harassment of a co-worker. I let them, then took them to the cleaners.

Skewed sample (1)

DoofusOfDeath (636671) | more than 6 years ago | (#21188945)

Shouldn't the headline be (in fewer words):

"Consider the employees stupid enough about security that they describe, to a stranger on the phone, the ways that they make their company networks less secure. 1/3 of them also violate corporate IT policy."

The real WTF is that *anyone* answered those questions on the phone.

So, (3, Interesting)

no-body (127863) | more than 6 years ago | (#21188987)

what is wrong here? Rules or people?

Whenever rules are broken, something of the two is off.

Remedies are not always adequate and can lead to more trouble.

Re:So, (1)

webmaster404 (1148909) | more than 6 years ago | (#21189205)

Generally its the rules, sure you should be able to block "inappropriate" sites, but theres no need to block "time wasting" sites such as Myspace, Facebook, Digg, Slashdot or YouTube. If an employee can finish their work in 3 hours and no one can give him/her more work for say an hour, theres nothing wrong with them watching a few Youtube movies. The fact is most of these "content filters" end up being more harm then good because most of the IT staff doesn't even know how they work. And all it does is annoy the average employee. So simply if businesses would just switch to Linux, put up a simple content filter, and a firewall all would be good.

policy? (4, Funny)

bigdavex (155746) | more than 6 years ago | (#21188993)

I'm not supposed to post on internet forums.

"That's your job..." (1)

B5_geek (638928) | more than 6 years ago | (#21189015)

One of the places that I worked as a contractor was rife with this type of abuse. I mentioned to one of the users that they were the cause of the problems; the response staggered me;

"Its your job to keep the computers safe, not mine."

Alas logic held no sway on their minds.

Less legal mumbo-jumbo in employee agreements (2, Insightful)

failedlogic (627314) | more than 6 years ago | (#21189081)

I recall before a lot of companies had terms of network use, a few employees where I worked had been downloading games from warez servers because the company network was significantly faster than anything available at the time. I knew even the network admin was violating this. I very much felt like reporting it, but as an entry-level employee on their first job, 1) I would feel guilty with getting someone fired; 2) I didn't feel like testing management by reporting this and see myself get fired; 3) I didn't really understand the policy and didn't know what to do.

I'll make clear that I wouldn't let this go today.

My point in all this is, some people starting at the company may be aware of activities the admins themselves or other staff are performing which management may not be. My first job was relatively simple and well paid, I have had no beefs with the company. But our Acceptable-use policy book was some 20-30 pages long. This was about 10 years ago. I would rather have had a 1 page document, sign at bottom: I will not download virsues or warez, share company information or NDAs to outsiders, etc on company time. If I know another employee is doing so, please report anonymously to. Violators will be disciplined or fired.

Really, does it really need to be any longer than this or more complicated? It simplifies reporting and makes the issue and repercussions clear. Get the 20 page document too if you must. But the one-pager should be clear to *all* employees regardless of law degree. But help make it clear too, that if you mistype a domain and get a porn site, you shouldn't have to hide it and feel like someone is about to can you (e.g. whitehouse.com vs whitehouse.gov).

You must be kidding... (1)

TheBrutalTruth (890948) | more than 6 years ago | (#21189105)

I can't believe it. Next someone will say that 65% of Slashdot users like p0rn. Insane!

Talking to an stranger on the phone about security (1)

joeflies (529536) | more than 6 years ago | (#21189119)

Seems like a violation of security policy to take an unsolicited call asking questions about security for a purported "Survey". Did any participant actually check the credentials of the person conducting the survey before giving answers about the security of their enterprise?

So anyone who answers to the survey (not just the 1/3 who said yes) is in violation of policy.

Astonishingly enough... (1)

Wazukkithemaster (826055) | more than 6 years ago | (#21189121)

One third of IT employees were fired this week... which third? well... any third will do.

Community Forums Blocked (0, Redundant)

lymond01 (314120) | more than 6 years ago | (#21189157)

My company policy doesn't allow posting on community forums.

Bullshit! (1)

radiumhahn (631215) | more than 6 years ago | (#21189207)

Bullshit! Way more than two thirds of companies don't have IT policies to violate!

slashdot (1)

antdude (79039) | more than 6 years ago | (#21189281)

Hmm, I think reading /. violates my employer's IT Policies. :P
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>