One-Third of Employees Violate Company IT Policies

BaCa writes with a link indicating that a survey of white collar US workers shows that something like a third of all employees break IT policies. Of those, almost a sixth actually used P2P technologies from their work PCs. Overall, the survey indicates workers aren't overly concerned about any kind of security: "The telephone survey found that 65% of white-collar professionals are either not very concerned or not concerned at all about their privacy when using a workplace computer. A surprising 63% are not very concerned or are not concerned at all about the security of their information while at work. Additionally, most employees have the misconception that these behaviors pose little to no risk to their companies."

I don't believe it

[stoolpigeon]

I'm guessing a more accurate headline would be: One-Third of Employees Admit to Violating Company IT Policies
 
The rest just didn't let on - because there is no way the number is that low. Or they didn't outright lie, they just didn't even know they had violated company policies.

Re:I don't believe it

[vertinox]

Or they didn't outright lie, they just didn't even know they had violated company policies.

I don't know how many times a conversation went like this:

Me: Whats your user name?
User: Its u2343 and my password is "bobspassword"!
Me: Wait! ARRRRRGH! Don't tell me that! I'm not supposed to know your password, I just wanted your user name!

Re:

[Anonymous Coward]

Me: Wait! ARRRRRGH! Don't tell me that! I'm not supposed to know your password, I just wanted your user name!


Me: Sigh. Please change your password. Please don't share your password with anyone, including IT staff.
User: Ok, now I changed it to 'bobspassword2'.
Me: ARRRRG!

Re:I don't believe it - bofh handbook reply

[cumin]

User: Ok, now I changed it to 'bobspassword2'.

Me: Sorry, we can't both know your password, so I changed it.
User: To what?
Me: If I told you, then we'd both know it wouldn't we? yuk yuk yuk
User: [grumbling] Okay, I'll change it, but I won't tell you this time.
Me: Okay, it's temporary though, and will force you to change it when you log in, ready?
User: *sigh* ready.
Me: [mumble: random, okay] a;@#aslkdfQQQ$@$#%faWerrr@!!a;lskd1.

Nobody, but nobody leaves their password as the one I give them. Few tell me twice.

Re:

[Otter]

Also, if I'd been surveyed as to whether checking webmail is "risky", I'd also have said that it isn't. It's certainly not "risky" on the level that downloading and running some P2P application is; it's not even dangerous on the level that requiring 20 different, complex, constantly changed passwords is.

Re:I don't believe it

[ewhenn]

it's not even dangerous on the level that requiring 20 different, complex, constantly changed passwords is.

Personally, I find that this constand password actually *lowers* security. I would like to present myself as an example. We have to change our passwords to something with 3 of 4 items (CAPS,lowercase,numbers, and Special characters). We are required to change our password monthly. So instead of having a nice secure password like "jd%2MdEP!7rqA" that I can remember say... once a year.. I just do something like "Aotepad1"..next month "Botepad1"...next month "Cotepad1" so I can remember the damn thing. Each application requires it's own password, so requireing the average user to constantly change them is going to make them go with poor password choices instead of strong ones.

Sometimes too much "security" is weaker security.

Re:

[dnormant]

What's sad where I work is it's the helpdesk and desktop administrators that are the worst. We have Websense to block the inappropriate web sites. Then they learned they could VPN in and that basically goes around Websense. Now they're tying up my firewall AND my VPN router.

I already block all p2p, now I'm going to have to block music and video sites too. I don't care what is appropriate or what isn't, I'm tired of my boss asking me why the Interweb is slow.

It sucks being the bad guy but I like my job.

Re:

[COMON$]

Your firewall should allow for rule schedules, obviously there is no need for you "techs" to vpn during work hours unless they are in the field. Or just disable VPN from behind the NAT. From one natzi admin to another the IT staff will always be your worst customers at policy compliance.

Re:

[Fulcrum of Evil]

Because techs never work from home...

Re:

[COMON$]

Because if you are a good admin, the use is incapable of violating your policies. Outbound port locks, packet monitoring, AD policies....ahhhh to be a natzi but who has that kind of time ;)

Re:I don't believe it

[COMON$]

hmmm, what about a fear of the unknown, the place I used to work posted a message saying the administrator has been alerted of the activity, nothing breeds fear like 1984 :)

Re:I don't believe it

[GreyyGuy]

Exactly. Between email retention policies, internet usage, and everything else, I would not be surprised if over 90% of people have violated them. Check your yahoo email at work? Violated company policy. Plugged in a USB drive or your iPod? Probably violated company policy. Installed non-approved software? Anything from IM software to Open Office to spyware checker to p2p software. Violated company policy. Sent your friend/spouse/significant other/family member and email from your work account? Violated company policy. Viewed something risque online at work? Even if not intended, that probably violated company policy.

Silly to think of things that trivial can count, but there are reasonable reasons for them. The problem is that they are all general and not focused on if the person intended to violate them. I would not be surprised if one third of people knowingly violated their company policy.

Re:I don't believe it

[Anonymous Coward]

Hell, I'd be happy if 1/3 of our employees could even name all of the IT policies they were breaking.

Re:

[Anonymous Coward]

Believe it. IT breaks the most policies because they don't get in trouble and then blame non-IT personnel for doing what they do. I know I used to do it as IT. So don't blame employees. I wouldn't be surprised to see numbers on IT employees and have it show 99% break those policies they themselves enforce!

Re:I don't believe it

[33MHz]

Couldn't agree more. As part of a development team that works in the same room as the IT team, I sometimes think about what they are doing on a daily basis, and the rules they enforce for the rest of us mere mortals seem completely pointless.

I often need third-party libraries when I'm developing my software so I just get them off the Internet (sometimes virus checking them if I remember). If I followed the rules to the letter, I wouldn't download the libraries. But I don't follow them, so by using this software that nobody is "approving" I'm breaking the rules.

But when did our security manager review the source code for Windows XP to make sure it's OK?

Re:

[Nefarious Wheel]

"It's easier to apologise than to get permission"

-- From the late Rear Admiral Grace L. Hopper, founder of commercial computing and lead developer of the original COmmon Business-Oriented Language compiler.

Sometimes you have to lead.

Re:

[Andrew Kismet]

She certainly didn't get permission to inflict COBOL, yet I hear no apology.

Re:

[Architect_sasyr]

Couldn't agree more. As part of a development team that works in the same room as the IT team, I sometimes think about what they are doing on a daily basis, and the rules they enforce for the rest of us mere mortals seem completely pointless.

That's because you are, as you say, mere mortals ;)

I often need third-party libraries when I'm developing my software so I just get them off the Internet (sometimes virus checking them if I remember).

And this is why I said you're a mere mortal. As a sysadmin it is i

Re:I don't believe it

[mrchaotica]

I often need third-party libraries when I'm developing my software so I just get them off the Internet (sometimes virus checking them if I remember).

In this case, virus checking is the least of your worries. If you're including those third-party libraries in your software, you need to be getting them approved by your legal department to make sure you're not creating huge copyright violations.

Admit it

[blueZ3]

you'd be happy if 1/3 of your company's employees knew that there was an IT policy. Heck, if they even knew what the IT department WAS.

Re:

[Anonymous Coward]

Considering they hire people that can't spell "third" ... ;-)

really?

[Dance_Dance_Karnov]

only a third?

Only one third?

[Reality Master 201]

Bullshit. Maybe 1/3 are dumb enough to cop to it.

Perhaps you've got it backwards and only 1/3 don't violate IT policies. And even that sounds light.

Re:

[ivan256]

1/3 admit to it.... The other 2/3rds don't even know what the policies are in the first place.

Re:

[arivanov]

1/3 admit
1/3 lie
1/3 does not give a f**k

About right by the look of it.

Not that IT does not deserve it.

Any stupid, prudish, paranoid or sometimes outright insane request can become a policy item in a matter of minutes.

Example (happened to me). A new HR director comes in horrified wanting to talk to you how do you dare not having a content filter to stop inappropriate content from being viewed.

The usual IT professional goes and implements it straight away. The fact that nobody is viewing it in the first place

Re:

[dbIII]

It really depends on how tight the policies are, how congested the link is, and if they are aware of how much logging is going on. Do to problems with communications infrastructure in Australia I can't get as fast a link at work as many users have at home. A side effect is they run their p2p stuff at home and if they do it at work they just get a polite visit and get told there isn't enough bandwidth. Multiple slow links only spread the pain they don't reduce it much. If there is just a resource based p

of course

[Vanden]

I think most of us could've told them that without all of the silly research.

Seriously though, for most people, unless they know there's a risk of being fired if they don't comply, chances are that they're not going to care about corporate IT policies. Most companies don't actual police them, so what benefit do they have in following them?

While people should be responsible enough to do what their job requires, it falls back on the corporate IT folks to make sure their policies are enforced.

Re:of course

[Aetuneo]

So most people realize, on some level, that the purpose of many of these rules is to make the people administering the network feel safer? For example, if you a company is sued by the RIAA/MPAA on the basis of someone on their network downloading music/movies illegally, they would have the protection of that being against their policies, so they can either fire that person for violating the policies, or pass on the lawsuit (for example, suing that person in turn). Thus, if you know what you are doing, it doesn't matter if it is against the rules unless attention is drawn to it - and unless it is harmful, the worst that would happen is probably a slap on the wrist, and perhaps not even that.

Re:

[PitaBred]

They make network shares for a reason. Seriously... 30MB emails are stupid. Use appropriate tools for different jobs.

Lol

[jayhawk88]

Of those, almost a sixth actually used P2P technologies from their work PCs.

In other news, one sixth of one third of all IT admins are stupid enough to not block P2P traffic on their networks.

/Actually/?

[ivan256]

They say "actually" like it's so unbelievable.

I regularly use bittorrent to download work-related files at work. And it's not against IT policy at all. Imagine that.

Re:Lol

[QuantumRiff]

And what percentage of the people the called actually responded to the survey? I would kick my users if I found they took time out of the day to talk on the phone about how they break policy (and security) over the phone to a stranger doing a "survey".

Re:Lol

[thegrassyknowl]

In other news, one sixth of one third of all IT admins are stupid enough to not block P2P traffic on their networks.

It's quite hard to block p2p traffic explicitly while leaving other protocols open. P2P traffic moves in a number of arbitrary ports and uses a lot of protocols. New protocols are coming and going regularly. L7 packet filtering helps with the common protocols but if they are also using encryption you've got bugger all chance of blocking them totally.

I was playing cat and mouse for a while. Block Kazaa and they move to Emule. Block that and they move to torrent. Block that and they start using gnutella. The game goes on and on.

The only way I've found to reliably block all p2p and other things without major hassles in the firewall is to block everything, install a proxy server for HTTP, HTTPS and FTP and then only punch out ports from trusted machines and with good valid reasons from people (and a paper trail for those reasons). eg, the PBX can talk to our upstream SIP provider, the mail server can speak port 25 to the outside world but nobody else can and my desktop PC has rsync access to our ISPs file mirror.

I have procedures in place to get things like torrents because they occasionally have legitimate uses. I have one machine that only I have a user account on. If someone thinks a torrent is useful and related to work they can ask me to get that torrent for them. It keeps them from running clients on their own PCs and still allows them to get files if needed. Half the time they just want torrents of files like Linux distros that are available on our ISP's mirror at no data charge to us.

With all that security comes problems. The boss wants to violate his own Internet policy (bittorrent for movies and all that) and the new firewall stops him from doing it. He has a personal email account he insists on checking with pop3 but can't now because that's blocked. There are no end of complaints about how all these violating things that used to be possible now aren't. For many admins there is a lot of pressure from management to not block things because the managers want to have a free run. Not every IT person is gutsy enough to stand up and say "no fucking way".

Re:Lol

[vux984]

Not every IT person is gutsy enough to stand up and say "no fucking way".

Not every IT person should. IT is a service industry. They need to make sure they are providing the service that is actually desired.

Downloading torrents is a pig on bandwidth, but unless bandwidth is cramped. So what?

Downloading from external email accounts may carry greater virus risks, but they are going to pick up the messages when they get the laptop home anyway, so the machine comes in infected tomorrow instead of this afternoon. Or they'll pick it up through some webmail account somewhere that you haven't blocked. Or they'll hook up their laptop to their cellphone/pda.

Some IT departments should say "no fucking way". But in a lot of them IT is supposed to simply be providing a secure reliable functional network. That doesn't necessarily mean locking it it down so hard that its reliability reaches 5 9s, and its so secure even the users can't get in half the time, while functionality is at the bare minimum specified in an SLA, while IT pats itself on the back for a job well done.

Meanwhile half the staff have resorted to personal laptops/pdas and cellular data plans because they can't get email from important customers through the company mail server, and they can't access web content they need through the company network without jumping through stupid hoops each and every time... and IT just stands around saying "no fucking way".

For every PHB manager drawing up pointless re-org charts and misusing buzzwords, and marketing moron promsing perpetual motion machines and obsessing over what color they should be, there is an IT-admin somewhere very effectively ensuring his network is as hostile, unfriendly, and as unusable as possible to the people trying to use it.

Like I said, Some IT departments should say "no fucking way". Some environments and situations DO demand that. But many of them say that a hell of a lot more often than is remotely justifiable.

What they don't say

[kpainter]

There are a lot of really stupid IT policies out there that, in the name of security, in fact merely hinder getting work done. I am not talking about P2P. Giving a developer a workstation with a user account with no administrator privileges on Windows is among them.

Re:

[ruewan]

I agree with you totally. There have been so many times that stupid policies made it difficult for me to get my work done. It is often easier to find ways around the security than to go through the proper channels. I had to do that a lot in my last job.

Re:What they don't say

[moderatorrater]

What I've noticed more of is that there's the "Company IT Policy" (tm) and the actual acceptable use policy. On paper you're not allowed to put any personal files on the computer, browse any non-work-related sites, or use a messenger client. In reality, you can bring in your own music or any work-related programs as long as you take the flak for illegal things, browse sites but only for a reasonable amount of time, and the same for messenger.

Re:What they don't say

[Kjella]

It's really quite simple - a company is in it for the money. IT policies are there because they save money by not dealing with all sorts of crap. As long as you get your work done and don't create trouble for your coworkers, IT support, the legal department or anyone else most people are willing to overlook things. Note I said overlook, not back down. Don't challenge them or blatantly disregard them, or they have to come down hard on you to make sure everyone knows who has the final say. You have to convince them you're not what I'd call "dangerously competent" - skilled enough to mess around a lot, clueless enough to fuck it all up.

Re:

[CrazedWalrus]

That's the situation I'm in right now. IT Security where I work is very good at what they do, to the point of approaching "unplugged, in a box, encased in concrete, and in a locked vault" secure. Unfortunately, the machines are also about that useful.

Re:

[Some_Llama]

"Giving a developer a workstation with a user account with no administrator privileges on Windows is among them."

Why would you give a developer a domain system with administrative purposes?

Why not a domain system with a local account that has admin that he can use when testing.. or require development work to be done in a VM session where they control their own permissions?

Why subject the security of the whole network to one user's practices?

I don't want to have to continuously troubleshoot why a system is

The reason for IT policies

[EmbeddedJanitor]

I think it fair to say that IT policies are not there no be enforced all the time. They are there to give IT staff the tools to manage the system effectively and prevent excesses.

For example the last place I worked at, the official line was "no personal use" but it was deemed OK to download a few mp3s or a Fedora ISO image here and there, thansfer your photos to flickr etc, but they stomped down hard on the guy who used approx 1/3 of the network bandwidth to download DVDs for his home viewing (and to give t

Re:

[l0b0]

Even worse is that once you break one of the unreasonable policies (no admin logon on a developer machine, say), it's hard to keep any respect for the more reasonable ones. A bit of trust and leniency would go a long way toward respect. You could for example tell employees that they should avoid spending a lot of bandwidth during peak hours, and give people plenty warning if they're hogging all the gas.

Oh, and help them out a little by hinting about things like KeePass [keepass.info] for passwords, TrueCrypt [truecrypt.org] for sensitiv

Developers...

[Kazoo the Clown]

The problem is, companies are cheap. Developers should have their own network that they can do whatever they bloody like with (IT dept. hands-off), and it should be isolated from the corporate network. But that means they need two machines, one with their corp email & IM and office tools & the like, and one that they actually develop on in their own sandbox...

Re:

[Tony Hoyle]

nd I have to deal with retards whining about "WHY IS MY COMPUTER SLOW?" and have to spend 5 hours cleaning up MyWebSearchToolbar, New.Net and fuck all else...

No you don't.. we had a standing rule - fuck up your computer and we'll reimage it for you (takes about 5 minutes in norton ghost) and give it you back. Had work on it? Your fault for not making backups.

We actually had to do this about twice.. after that they learned.

Re:

[Stamen]

It all depends on what kind of developer one is. If your doing Windows desktop development, not giving the developer Admin rights to their machine is more than silly. As in the real world, you have to have that in Windows to do most anything. Frankly, that's a question I would ask if I were interviewing for a job, and if I didn't have full control over my development workstation and development servers, I wouldn't take the job, period; I'm not interesting in being non-productive, or working in a dev team

Re:

[Rakishi]

Oh? Every dev at my company, thousands of them, has admin/root access to their machines and dev servers (su to be exact for the servers). There are very few problems and everything works quite nicely.

I guess my company not hiring $5/hour retards who dropped out of middle school to do their dev work may explain why there are so few problems.

When Policies are set by PHB's and you need to by.

[Joe The Dragon]

When Policies are set by PHB's and you need to bypass them to get work done then that is something that should be fixed. Also another thing is password rules that make people write there pass word down on paper are worse then passwords that don't have as many limits on them.

Re:When Policies are set by PHB's and you need to

[Gibble]

Pick something you can remember. The simplest way to have mixed case, alpha numeric password with punctuation, is a sentence that you can remember. "Today, a coffee cost $1.99 + TAX!" Secure, simple to remember, and passes all the validation you want to throw at it.

Re:

[Joe The Dragon]

And what about the rules saying that you have to change your pass word and you can't use part of your last few passwords.

Re:

[Some_Llama]

"And what about the rules saying that you have to change your pass word and you can't use part of your last few passwords."

typically to stop people from using "password1, password12, password123" or "password1, password2, password3"?

Re:When Policies are set by PHB's and you need to

[Otter]

"Today, a coffee cost $1.99 + TAX!"

And is that the phrase for the for the dental plan password, the diversity training registration password, or the office supply purchasing password? Or an older phrase for one of them, as each one needs to be changed (out of sync!) 6 times a year.

Re:

[Gibble]

You can't remember more than one password? And honestly, isn't it easier to remember several phrase than several cryptic password like "41!ap*17ARK"?

I'm just suggesting, a simple solution to strong passwords that are also easy to remember.

As a side note, if there are three systems, keep the passwords the same, while they may get out of sync, you should only need to remember a couple at a time.

If IT hasn't bothered to integrate the systems to use a single login, they aren't going to bother checking that eac

Re:

[CBravo]

Oh come on. I have to type it every 20 minutes because I cannot get putty to save things in the registry to aid automated login. I keep it short and stupid, like the security regime.

Passwords like ASDF12#$ and Welcome22@@ are easy on my wrists.

Re:When Policies are set by PHB's and you need to

[dbIII]

Some people forget their username even if it is their first name a space and their surname. You really can't blame password policy on the people that write it down, in these days of ATM cards people should be able to remember short passwords. What annoys me the most in this area is people that choose long complex passwords and stick a bit of paper with that password to their laptop.

Unreasonable Policies

[bazald]

Some policies just aren't reasonable or well thought out. This article is clearly blowing the issue out of perspective by not separating out different behaviors.

Checking personal e-mail from a work computer-- 73% of those who have done this at work believe it is not risky, despite the fact that they could unknowingly download a virus that infects the corporate network.

Wow, really? I'll stick to those corporate virus-free e-mail accounts from now on. Are they also completely free of spam? That would be nice too.

Re:

[Maxo-Texas]

Virus's through Outlook in the last 5 years: over 20 (including 7 PDF's this week)
Virus's successfully deployed to my desktop over the last 5 years: 3 (apparently from laptops plugged into the network without being scanned). The PDF's would have deployed if I had been not been suspicous of getting a PDF from a stranger.
Virus's through hotmail in the last 7 years: 0
Virus's through gmail in the last 2 years: 0
Virus's through through Yahoo in the last 3 years: 0

---
Documents that were not documents BLOCKED by c

Re:

[Kjella]

Personally I think that one has about 99% to do with employees wasting time and 1% with to do with security. Most serious companies I know have a virus scanner running on downloaded files, which I assume is the same one running on e-mail attachments. It's just part of my job to download executables from time to time, and usually I'm allowed to even from companies blocking webmail...

Re:

[UdoKeir]

A friend of mine who worked for a major bank had webmail blocked by her IT dept. They claimed it was for Y2K reasons. I couldn't begin to explain what was wrong with that excuse.

My company's IT dept blocks HTML attachments in email to "prevent viruses". They appear ignorant of the fact that email can be formatted with HTML, or indeed that I have a little program on my desktop designed specifically for downloading HTML files direct from the web.

Re:

[WK2]

Some policies just aren't reasonable or well thought out.

Exactly. Most corporate policy lists are like U.S. laws. Excessively numerous and impossible to follow. If you tried, you might get fired not completing your work at the speed of your co-workers. When I was young and naive, a manager actually told me that I can't follow all the policies, and that I just had to do my best to obey what I could, and not get caught for the rest.

I've heard it said that corporate policy exists so that management can poi

Re:

[Bryansix]

Wow, really? I'll stick to those corporate virus-free e-mail accounts from now on. Are they also completely free of spam? That would be nice too.

Actually the email at the corporation I work at is. We run a Barracuda Spam Firewall in front of the email servers and nothing comes in without going through it. I tweaked the settings in the thing and now it filters out 75% of all email coming in. This doesn't take into account the emails the server never sees because it drops connections that are spamming it t

Re:

[WombatDeath]

My old employer "mandated" (poorly) the use of the corporate logo as desktop wallpaper. That's the sort of policy I'll cheerfully bypass with a great big grin on my face.

And then there is 1/3 ordered to violate..

[Maxo-Texas]

by executives to make unrealistic deadlines which they decided without IT input.

I think it's more like...

[kabocox]

I think it's more like 1 out of 100 of employees actually obey company IT policies. The more management or IT that you are the more that you are liable to freely break IT policies as well.

Re:

[tftp]

The sad part is that this one employee who does not do anything bad probably does not do anything good either. It is a completely bland person with no interests, no curiosity, and who is even afraid to do something minor and be responsible for that. This is the kind of person who warms his chair for 40 hours per week and collects a paycheck. There is place for those people - a security guard maybe, or a help desk operator, but not in positions that require open mind and power to make decisions.

It's a cat and mouse game with IT

[rrohbeck]

Blacklists=>Proxies
Traffic filters=>TOR
etc. etc.

But the real problems are still caused by moron employees who double click on an attachment they got via email. Just happened again last week. The problem isn't people who don't adhere to policies, it's employees who don't have a clue.

And what's wrong with reading Slashdot while you're slacking off with a coffee for a couple of minutes? I'd consider an employer a slave driver if they have a problem with that.

So much not said

[frovingslosh]

I would find it more interesting to know what policies are being broken, and what percentage of those are either extremely lame or actually downright dangerous to the company (I have a friend who is required to use IE and Outlook for example).

Hell, most companies aren't concerned...

[msauve]

with the privacy of their employees. Case in point, mine provides my Social Security number to third parties, against my express direction, with absolutely no business need, and in direct violation of their own written privacy policy.

Where I work...

[Toreo asesino]

...there's a very relaxed IT policy.

Browse whenever you want, take whatever software you want home, check your email if you want, everyone's their own local admin, no audits.

However, if you get caught with illegal software, miss a deadline because of blatant time-wasting, then you get fired (for continuous abuse). People work not because of policy, but because they want to do well and enjoy what they're doing.

I happen to also work in one of the biggest names in IT too....not some small company. The policy works very well, as is evident from the company's success and the fact people rarely leave. That and brain-implants, anyhow.

Leverage

[Jonny 290]

In my experience, the "IT policies" of a company are generally so restrictively worded that they'll catch almost any individual at some point in time for a "policy violation." They are rarely enforced as a matter of practice or true benefit to the company's security and IT performance, but provide excellent leverage against employees who are under the hot lights for unfireable offenses. Simply whip out that pattern of browsing Myspace, whip out the IT policy, and have them sign their resignation letter righ

Bing... Bing... Bing...

[Belial6]

And that is the answer that most people miss. I would say that frequently, even if an employee wanted to follow policy, they could not because their jobs actually require them to violate the policies.

This is not limited to IT policy though. At 2 of the last 3 jobs my wife had, she would be told by her manager that they didn't care how she got a new copy of documents dated three days early, but that she better do it. It was obviously an instruction to not only violate policy, but the law. Of course th

Re:

[Mattintosh]

For your wife, the correct answer is:

"I won't lie to you, but I also won't lie for you. I will not violate company policy. I will not violate the law. And, no, I will not resign."

The manger, and possibly the entire company, is up the proverbial creek if your wife is let go for that statement and the stand it represents. Plus, you'd have grounds for a lawsuit. It's called "wrongful termination" in most places, and there are several variants of it. In this case, it would probably hinge on either the policy vi

How is it so "risky"

[webmaster404]

How is checking your e-mail, downloading software or using P2P software "risky"? The number 1 rule for all corporate networks is that you lock down your network, at home the most someone could really do is install a bot and make you send out spam messages. At work, your machine should at least have a network-wide firewall, up-to-date antivirus if its a Windows machine, and an under-privileged account if its Windows or Linux. But if everyone switched to Linux, none of it would really be a problem. But seriou

This is bad for a surprising reason

[zappepcs]

It is bad, first because as mentioned, that number is low. Second because they violate them because they CAN. IT security is nearly as futile as the war on drugs. Its current incarnation does nothing to reduce the demand, nor does it adequately address the problem.

In the workplace, the employer (owner of the IT infrastructure) has a duty to inform employees how the tool(s) are to be used and what is mis-use. Additionally, the stick and carrot method is not appropriate. If you catch your child using your fav

Firefox violated IT Policies

[hansamurai]

Two years ago I received an email from IT informing me that I was using the application Firefox and that a "major security vulnerability" had been discovered. They told me I had to use Internet Explorer as it was "much more secure".

Whether or not IE was actually more secure on our network isn't really the point, but I still had a great laugh out of it. I simply updated Firefox and that took care of that, never heard from them again about it.

Skewed sample

[DoofusOfDeath]

Shouldn't the headline be (in fewer words):

"Consider the employees stupid enough about security that they describe, to a stranger on the phone, the ways that they make their company networks less secure. 1/3 of them also violate corporate IT policy."

The real WTF is that *anyone* answered those questions on the phone.

So,

[no-body]

what is wrong here? Rules or people?

Whenever rules are broken, something of the two is off.

Remedies are not always adequate and can lead to more trouble.

Re:

[webmaster404]

Generally its the rules, sure you should be able to block "inappropriate" sites, but theres no need to block "time wasting" sites such as Myspace, Facebook, Digg, Slashdot or YouTube. If an employee can finish their work in 3 hours and no one can give him/her more work for say an hour, theres nothing wrong with them watching a few Youtube movies. The fact is most of these "content filters" end up being more harm then good because most of the IT staff doesn't even know how they work. And all it does is annoy

policy?

[bigdavex]

I'm not supposed to post on internet forums.

"That's your job..."

[B5_geek]

One of the places that I worked as a contractor was rife with this type of abuse. I mentioned to one of the users that they were the cause of the problems; the response staggered me;

"Its your job to keep the computers safe, not mine."

Alas logic held no sway on their minds.

Re:

[rossz]

The user is absolutely 100% correct. Keep in mind this same person jumps in his car, hauls ass down the freeway at 90 MPH yapping on a cell phone, sipping his coffee, completely oblivious to his surroundings. Do you really expect that person to follow "policy" when he has already shown a complete disregard for the law and common safety principles?

No, you can't shoot him in the head with a shotgun. The momentary feeling of satisfaction is followed by a serious downside.

Re:

[AceCaseOR]

No, you can't shoot him in the head with a shotgun. The momentary feeling of satisfaction is followed by a serious downside.

Of course you can't. Why would you want to anyway? That's so easily tracible. What you do is put them in dummy mode, and then have them check the voltage on their power outlet using a pair of paper clips (among many other means of removing security risks against the system. What's that, you ask? You might get arrested for this too? Of course not, it's a matter of national security! If users can be permitted to let viruses and spyware run on their systems, possibly turning the entire company network into a

Re:

[Actually, I do RTFA]

Its your job to keep the computers safe, not mine.

That is true, it is your job not his. Like a mother's (typical gender role assignment coming up) job is to take care of a child. So when the child is playing in the street, she drags him inside and punishes him.

So, keep the computers safe. He requested that you protect his web access with a whitelist and make him come to you everytime he wanted to open an e-mail attachment. Or that he not have the ability to change the C: drive (there is some software

Less legal mumbo-jumbo in employee agreements

[failedlogic]

I recall before a lot of companies had terms of network use, a few employees where I worked had been downloading games from warez servers because the company network was significantly faster than anything available at the time. I knew even the network admin was violating this. I very much felt like reporting it, but as an entry-level employee on their first job, 1) I would feel guilty with getting someone fired; 2) I didn't feel like testing management by reporting this and see myself get fired; 3) I didn't really understand the policy and didn't know what to do.

I'll make clear that I wouldn't let this go today.

My point in all this is, some people starting at the company may be aware of activities the admins themselves or other staff are performing which management may not be. My first job was relatively simple and well paid, I have had no beefs with the company. But our Acceptable-use policy book was some 20-30 pages long. This was about 10 years ago. I would rather have had a 1 page document, sign at bottom: I will not download virsues or warez, share company information or NDAs to outsiders, etc on company time. If I know another employee is doing so, please report anonymously to. Violators will be disciplined or fired.

Really, does it really need to be any longer than this or more complicated? It simplifies reporting and makes the issue and repercussions clear. Get the 20 page document too if you must. But the one-pager should be clear to *all* employees regardless of law degree. But help make it clear too, that if you mistype a domain and get a porn site, you shouldn't have to hide it and feel like someone is about to can you (e.g. whitehouse.com vs whitehouse.gov).

Talking to an stranger on the phone about security

[joeflies]

Seems like a violation of security policy to take an unsolicited call asking questions about security for a purported "Survey". Did any participant actually check the credentials of the person conducting the survey before giving answers about the security of their enterprise?

So anyone who answers to the survey (not just the 1/3 who said yes) is in violation of policy.

slashdot

[antdude]

Hmm, I think reading /. violates my employer's IT Policies. :P

100%

[sw155kn1f3]

100% breaking IT policy is more accurate estimate ;-)
Never set stupid policy and none want to break it!

P2P is OK

[c_g_hills]

I am not sure what is wrong with P2P. I use it to distribute the VMware images on my site with the blessing of my employer, since it actually saves bandwidth.

There are rules and there are RULES

[davidwr]

There are rules, like the 70mph speed limit or no surfing Slashdot, which are usually ignored unless someone needs a reason to fire you.

Then there are RULES, like not killing people and not using office computers to plot the overthrow of corporate executives, that will get you fired no matter what.

Most people are smart enough to know rules from RULES. Those that don't get the corporate Darwin award.

Only a third?

[Toonol]

I would have thought it was much higher. IT policies everywhere I've seen are regarded like speeding limits; absolutely meaningless, except when somebody official is watching you.

The typical response by IT is to make the policies more restrictive and impractical, which, of course, makes adherence to them even less likely.

What about IT staff...

[rongage]

And in other news

And while they won't admit it, 74% of all IT staff routinely violate the rules they force the rest of the staff to live under

Not that I would do such a thing, but....I've heard stories... :)

Let people browse!

[$criptah]

If you are reading this thread at work, you're probably violating the policy as well. Has anybody actually read the employee handbooks given out on your first day of work? I have never worked for a company where IT stuff did not violate policies to a greater degree. Sure, soccer mom / accountant Jane may look at the news site or shop at gap.com during work hours, but Billy, the director or IT, can run as many P2P applications from the QA lab. I have constantly heard IT engineers bragging about yet another wonderful Quake 3 lunch. It is nothing wrong to have some fun at work, but ordering extra-beefy hardware only for specific individuals so they can play Quake may not sit right with a CFO. What about all that licensed software that magically ends up being installed at home? The about box reads that it is licensed to Some Company while it is being used for personal purposes. Things like this happen all the time. Hell, I had a co-worker who did not mind browsing pr0n and personals online at work. He even bragged about it. Noticed how I stated things in the past tense :) Stupid policies make people break the laws. Just like teenagers love liquoring up despite the fact that it is illegal, white collar professionals like their news sites and forums. There is nothing you can do about it. In fact, if I were a boss, I would encourage people to relax and take breaks once in a while. I seriously see no harm if Johnny-work-all-night-to-meet-deadline takes 10 minutes and reads his Slashdot. As long as work is getting done, who gives a shit about what people do when they have a spare minute.

Simple Solution

[PPH]

Back when I worked for an outfit that had a real constricted sphincter IT policy, the solution was simple: telecommute.

The company imposed some really screwed up policies on desktop configuration but they had a liberal telecommuting policy. So everyone did their serious work at home. They shoved their (IT mandated) Windows systems aside, used Linux and other FOSS applications, surfed the web, downloaded tunes, played WoW or whatever. As long as they got their work done, management was happy.

Strangely enough, the company was also heavily into a process standardization kick. I don;t think they ever confronted the fact that the work that was getting done could never have been accomplished with the 'IT Standard' tool suite. Too bad. A more open policy at work would allow them to capture best practices.

Re:

[Pojut]

Kilgore Trout, is that patRIOTically you?

Re:most employees...

[ivan256]

I've actually tried this little social experiment.

I run the network for my mother's company for free, so I'm allowed whatever liberties I'd like in deciding policy instead of having it dictated by a boss. They've got over 20 machines, and they aren't formally assigned, so if one goes down it's not the end of the world, the employee can use one at another desk for awhile. Usually they use the same one every day though.

The experiment was this:

Four new employees. Four new Windows XP Professional PCs. All use Firefox for a browser and Thunderbird for e-mail, along with the proprietary manufacturing/sales app that they run their business with. Two machines got Symantec anti-virus, and the other two got no anti-virus. They were told that since we don't have a copy for that machine, they'll just have to be extra careful about what documents they open, and how they use their e-mail. (We really were out of licenses/subscriptions, which is how this started)

After three months, both of the AV-free PCs were completely fine, and one of the machines that had the anti-virus was running a botnet spammer (the outgoing spam was being blocked by the firewall). The most amazing bit though, was that the fear of not having anti-virus protection had stopped users of those two machines from doing most of the non-viral bad stuff that average windows users do. There was no proliferation of toolbars, no weatherbug.... They didn't even have realPlayer.

It's amazing what a false sense of security people get from running anti-virus software. They don't even realize that they still have to be careful because 0-day threats aren't in the latest virus definitions yet. They think they can do whatever they want, because they are protected.

The whole company has since gone anti-virus free on the desktop, and problem reports and performance complaints have dropped way down. Education and a healthy dose of respect for the evils of the world work better than any anti-virus on the market. And the cost savings are nice too.

(There is still some basic protection in place. All internet access is through a secured web proxy. Non-http traffic isn't allowed. Intrusion detection on the firewall, etc... And the servers are still scanned, AVG on the windows servers, chkrootkit on the linux servers.)

Re:most employees...

[ivan256]

You really have no grasp on reality, do you?

You think virus protection protects your net work? You missed the entire point. Then you followed it up with a broken car analogy.

Perhaps you should try understanding what you do for a living instead of doing whatever some book and a whole bunch of marketing literature told you to do.

I check in on my machines and make sure they are working. I protect my networks, and make sure that if they *do* get infected they're not going to infect *your* network.

Judging by your comment, on the other hand, you merely install security-blanket style security software on your systems and think that makes you "responsible".

Users have no remorse because they are given zero responsibility. Why should they care if they fuck up your machines? You secured them. They're protected. They're both "safe" because of the protections, and completely disallowed from making any responsible decisions about their own machines, so they take zero responsibility.

You, sir, are the cause of your own user-troubles.

Re:

[King_TJ]

Yep! I've always done system administration from the viewpoint that the computers are there as TOOLS for everyone to use. By the very nature of computing, you can't expect to make almost any specific, hard and fast rules that cover all scenarios. It's a constantly moving, evolving target.

You block a range of ports on the firewall because "bad app X uses them, and we don't want bad app X running!"? Next thing you know, it breaks 3 other legitimate apps people need to be more efficient in the workplace.

Yo

Re:

[Jhon]

If my installing linux or using an "unapproved" email client upsets someone in IT, that's because THEY are in the wrong not me.

There are countless examples available, but lets just focus on one you provided: your 'unapproved' email client.

*YOU* are in the wrong. This is true if *YOU* are not paying for the hardware. This is true if you do not pay the support staff. It is not up to an employee to dictate what services a companies IT department will support -- that's up to management (hopefully with IT

Re:

[teasea]

I'm of a mind that bureaucracy only functions when the majority find ways to circumvent it. Dumbing down computer usage to the lowest common denominator of mindless users is seen by most as an annoyance to be worked around. Though of course, this leads to the cycle of those finding ways around stricter and stricter policies which slows real work and communication to a crawl.

Some policies make sense. Others... not so much. Reading web mail? Not a big deal. Clicking on the 'You've received a card link?' 'e

Re:

[Jhon]

Actually, no. The 'suits' are quite used to outlook and have no problems with it at all. My guys rarely get calls from anyone but fresh meat (new suit's new position). Most of the 'staff' use an internal company webmail client -- nothing to set up for them. Just click the icon on the desktop and enter username/password.

In 8 years, I've had ONE suit give my staff problems outlook -- and it was a new AR exec who had zero experience in AR *AND*, quite frankly, I believe never used a computer in their life.

Re:

[QuasiEvil]

We have such policies, too, but ours is "reasonable personal use is permitted", provided it doesn't interfere with your job performance, network security, etc. Basically I keep an SSH session open to home all day and check my mail every hour or two, pay bills over lunch, etc. Oh yeah, and Slashdot...