One-Third of Employees Violate Company IT Policies 320
BaCa writes with a link indicating that a survey of white collar US workers shows that something like a third of all employees break IT policies. Of those, almost a sixth actually used P2P technologies from their work PCs. Overall, the survey indicates workers aren't overly concerned about any kind of security: "The telephone survey found that 65% of white-collar professionals are either not very concerned or not concerned at all about their privacy when using a workplace computer. A surprising 63% are not very concerned or are not concerned at all about the security of their information while at work. Additionally, most employees have the misconception that these behaviors pose little to no risk to their companies."
I don't believe it (Score:5, Insightful)
The rest just didn't let on - because there is no way the number is that low. Or they didn't outright lie, they just didn't even know they had violated company policies.
of course (Score:2, Insightful)
Seriously though, for most people, unless they know there's a risk of being fired if they don't comply, chances are that they're not going to care about corporate IT policies. Most companies don't actual police them, so what benefit do they have in following them?
While people should be responsible enough to do what their job requires, it falls back on the corporate IT folks to make sure their policies are enforced.
Unreasonable Policies (Score:5, Insightful)
Re:What they don't say (Score:2, Insightful)
It's a cat and mouse game with IT (Score:5, Insightful)
Traffic filters=>TOR
etc. etc.
But the real problems are still caused by moron employees who double click on an attachment they got via email. Just happened again last week. The problem isn't people who don't adhere to policies, it's employees who don't have a clue.
And what's wrong with reading Slashdot while you're slacking off with a coffee for a couple of minutes? I'd consider an employer a slave driver if they have a problem with that.
Re:I don't believe it (Score:3, Insightful)
Re:I don't believe it (Score:2, Insightful)
Re:I don't believe it (Score:2, Insightful)
I already block all p2p, now I'm going to have to block music and video sites too. I don't care what is appropriate or what isn't, I'm tired of my boss asking me why the Interweb is slow.
It sucks being the bad guy but I like my job.
Re:What they don't say (Score:5, Insightful)
Re:Unreasonable Policies (Score:2, Insightful)
Exactly. Most corporate policy lists are like U.S. laws. Excessively numerous and impossible to follow. If you tried, you might get fired not completing your work at the speed of your co-workers. When I was young and naive, a manager actually told me that I can't follow all the policies, and that I just had to do my best to obey what I could, and not get caught for the rest.
I've heard it said that corporate policy exists so that management can point blame wherever they want when something goes wrong, because everybody is breaking the rules. That would be in common with U.S. laws.
Less legal mumbo-jumbo in employee agreements (Score:3, Insightful)
I'll make clear that I wouldn't let this go today.
My point in all this is, some people starting at the company may be aware of activities the admins themselves or other staff are performing which management may not be. My first job was relatively simple and well paid, I have had no beefs with the company. But our Acceptable-use policy book was some 20-30 pages long. This was about 10 years ago. I would rather have had a 1 page document, sign at bottom: I will not download virsues or warez, share company information or NDAs to outsiders, etc on company time. If I know another employee is doing so, please report anonymously to. Violators will be disciplined or fired.
Really, does it really need to be any longer than this or more complicated? It simplifies reporting and makes the issue and repercussions clear. Get the 20 page document too if you must. But the one-pager should be clear to *all* employees regardless of law degree. But help make it clear too, that if you mistype a domain and get a porn site, you shouldn't have to hide it and feel like someone is about to can you (e.g. whitehouse.com vs whitehouse.gov).
Re:I don't believe it (Score:1, Insightful)
Some of us just cover our tracks very well.
Re:I don't believe it (Score:5, Insightful)
Re:I don't believe it (Score:3, Insightful)
-- From the late Rear Admiral Grace L. Hopper, founder of commercial computing and lead developer of the original COmmon Business-Oriented Language compiler.
Sometimes you have to lead.
Let people browse! (Score:4, Insightful)
Re:of course (Score:4, Insightful)
Re:I don't believe it (Score:3, Insightful)
Just for the record, I've been a developer, a hell desker and a sysadmin, so I know what the battlefield is like on both sides. No doubt others do to.
Re:most employees... (Score:5, Insightful)
You think virus protection protects your net work? You missed the entire point. Then you followed it up with a broken car analogy.
Perhaps you should try understanding what you do for a living instead of doing whatever some book and a whole bunch of marketing literature told you to do.
I check in on my machines and make sure they are working. I protect my networks, and make sure that if they *do* get infected they're not going to infect *your* network.
Judging by your comment, on the other hand, you merely install security-blanket style security software on your systems and think that makes you "responsible".
Users have no remorse because they are given zero responsibility. Why should they care if they fuck up your machines? You secured them. They're protected. They're both "safe" because of the protections, and completely disallowed from making any responsible decisions about their own machines, so they take zero responsibility.
You, sir, are the cause of your own user-troubles.
Re:What they don't say (Score:4, Insightful)
Re:I don't believe it (Score:5, Insightful)
Silly to think of things that trivial can count, but there are reasonable reasons for them. The problem is that they are all general and not focused on if the person intended to violate them. I would not be surprised if one third of people knowingly violated their company policy.
Re:I don't believe it (Score:5, Insightful)
In this case, virus checking is the least of your worries. If you're including those third-party libraries in your software, you need to be getting them approved by your legal department to make sure you're not creating huge copyright violations.
Re:I don't believe it (Score:4, Insightful)
Re:Lol (Score:4, Insightful)
Not every IT person should. IT is a service industry. They need to make sure they are providing the service that is actually desired.
Downloading torrents is a pig on bandwidth, but unless bandwidth is cramped. So what?
Downloading from external email accounts may carry greater virus risks, but they are going to pick up the messages when they get the laptop home anyway, so the machine comes in infected tomorrow instead of this afternoon. Or they'll pick it up through some webmail account somewhere that you haven't blocked. Or they'll hook up their laptop to their cellphone/pda.
Some IT departments should say "no fucking way". But in a lot of them IT is supposed to simply be providing a secure reliable functional network. That doesn't necessarily mean locking it it down so hard that its reliability reaches 5 9s, and its so secure even the users can't get in half the time, while functionality is at the bare minimum specified in an SLA, while IT pats itself on the back for a job well done.
Meanwhile half the staff have resorted to personal laptops/pdas and cellular data plans because they can't get email from important customers through the company mail server, and they can't access web content they need through the company network without jumping through stupid hoops each and every time... and IT just stands around saying "no fucking way".
For every PHB manager drawing up pointless re-org charts and misusing buzzwords, and marketing moron promsing perpetual motion machines and obsessing over what color they should be, there is an IT-admin somewhere very effectively ensuring his network is as hostile, unfriendly, and as unusable as possible to the people trying to use it.
Like I said, Some IT departments should say "no fucking way". Some environments and situations DO demand that. But many of them say that a hell of a lot more often than is remotely justifiable.
Re:I don't believe it (Score:2, Insightful)
That's what I thought. I can't imagine why IT might want to exercise some oversight over what you're installing.
Re:I don't believe it (Score:1, Insightful)
You would think that the gods of IT would get a few standard EULAs reviewed in-depth, and ensure that nothing is installed with an unapproved license. Instead, they simply buy commercial products and assume that it's OK to install them. Where are the internal audit people? SOX? Helloooooo!
I can think of nothing that would accelerate the adoption of open source faster than mandatory legal review of license terms and conditions. The review process for GPL, BSD, etc. for internal development should be like rolling through a toll booth with a speed pass on your dashboard. Anything else, and it's like waiting for customs to ask a bunch of questions and search your luggage for non-conforming usage. The legal dept. should be sifting through every license (making sure the terms have not changed since the last upgrade) -- holding a series of meetings to compare the expected usage to the authorization granted by the license.
It reminds me of a Star Trek episode where a software glitch causes a space probe to kill anything that is not perfect. Capt. Kirk points out the space probe's own flaws and tells it to proceed with its programming. Luckily, he beams back to the ship before the thing self-destructs. Maybe it's time to tell legal and IT that if these policies are truly worth having, they are worth enforcing to the letter of the law. Let's see where that goes!
You know, if we threw the proprietary vendors out of corporate IT, there would be standardization. As an added bonus, the legal and finance departments would be no longer involved in the procurement process. There would also be fewer choices, but traditional corporate IT is sticking us with mostly bad choices anyway.