What better time to release a blog-inspiring IT security article in the Wall Street Journal than when half the crowd is in Vegas for the week? Yes, the WSJ posted 10 Things Your IT Department Won’t Tell You, which really should be reworded, 10 Ways to Circumvent Your IT Department’s Restrictions. Here are some notes of mine on the article as a whole.
A. The author needs to stress further that employees should look at their corporate policies and talk to their IT staff. Sometimes it just takes user interest to get management to look at legit technological solutions to the below problems, not workers sneaking around. I wonder if the WSJ wouldn’t mind if its editors sent all their email to a third party service or stored their files online? It would just be nice if the author had constantly (or at least at the beginning) reminded readers that while this is all in good fun, they can be crossing policy lines.
B. The author implies, or rather nearly flat-out states, that these items are part of a rather strict and unfriendly IT security stance. This is really not so. Some things like blocking certain websites are done almost as much for saving bandwidth costs as anything, or to prevent such things as porn viewing which can create a hostile work environment. Other things like email size requirements can be an external limitation by the Internet infrastructure at large (i.e. your target’s mail servers). Likewise, storage is cheap, but try telling that to senior management when the Exchange servers start complaining and buckling and backups take too long. Alleviating that means spending money. And often management figures that money is better saved and file sizes remain reasonable. IT security is not the only force here, but rather simple economics in the IT world. Really, often it comes down to treating everyone equally and costs.
C. Contrary to what every non-IT person seems to think, IT pros do not know everything or every piece of software. Limitations are often made so that we have a finite job description. Supporting every piece of software that even 50 users can install is frustrating and a drain on company money.
D. I don’t like the feeling that the author’s Risks sections are skewed to the POV of the user, and not the business as a whole and how dangerous some of these practices may be. Some are properly framed while others are not.
E. That all said, I think this is an important article. It illustrates the common pains our users (and we as well!!) have when it comes to the convergence of work, culture, technology, and social lives. Each of these pain points should be fixed by IT, or at least the policy behind them transparent to the constituents. Each of these should also be examined to see if, instead of benefiting the company and our employees as people, we’re holding them back and trying in vain to stem the tides of culture and progress.
1. HOW TO SEND GIANT FILES – How many companies really do need to send giant files and don’t have any sort of FTP/SFTP infrastructure? No, your baby pictures in bitmap format and 10 times as big as modern monitor resolutions do not count as a business case. I am saddened to see the author tell users to look for the IE lock symbol as reassurance of validity, and that a Verisign logo further ensures the identity of the site. No, that’s not enough, sorry. Oh, and if an Adobe exec runs it, it is less likely to have security holes. Say what? Anyway, IT does need a plan for transferring large files anyway, so get one. Everyone, and I mean everyone, hits the attachment max at some point. Hell, even Gmail has a max; live with it.
2. HOW TO USE SOFTWARE THAT YOUR COMPANY WON’T LET YOU DOWNLOAD – This one really peeves me, because I’ve too often seen a) malware enter because someone wanted certain software, b) computers become unusable due to crappy software or incompatibilities with business software, and c) frustrated users who then frustrate IT because they MUST have some backwater POS software installed or they will quit, or something equally outlandish. The bane of all IT is having to support everyone’s crap. Yes, I’m jaded on this point, but there is usually a process of requesting and approving software for use in the business. Good IT will log all executed software, and query on why they were run. And be aware of your company size. Small companies can likely get more software approved, but large or medium companies just cannot scale IT to support every little thing.
3. HOW TO VISIT THE WEB SITES YOUR COMPANY BLOCKS – First, web-based email is not innocuous. Second, if your company blocks these sites actively, your proxy calls will likely be logged as well. If you need a site opened up or something, ask your manager, HR, or IT. If it is Final Four season and you can’t stream the first round games, well, sorry, but we can’t bring the internet access to a crawl just to see a 15 seed get crushed by a 2 seed in a game that will be played regardless if you are watching or not. And no, you can’t connect to GoToMyPC.
4. HOW TO CLEAR YOUR TRACKS ON YOUR WORK LAPTOP – I really like the author saying, “…don’t use your work computer to do anything you wouldn’t want your boss to know about.” That’s it in a nutshell right there; that should be everyone’s personal policy.
5. HOW TO SEARCH FOR YOUR WORK DOCUMENTS FROM HOME – Ugh. Don’t ask your IT admin to help you set up Google Desktop. Bad. Ask how you can get set up with a VPN connection from home that is secure and allows you access to your computer or a file store. The author stupidly says three things that he/she should have put together. “…top-secret financial information…” and “…search company keeps a copy of your documents on its own server…” and “…myriad state laws regulate how a company has to react when it loses private information…” If you play the “duh” game, you see that you might have to provide some answers why you are allowing top secret, possibly regulated, information to be stored on third-party servers. Good job.
6. HOW TO STORE WORK FILES ONLINE – Like web-based email services, thinking too much about this problem creates ulcers. Yes, I’d like to encourage my users to store their files on third party services, because then they can store megs and gigs of company data out there, then quit (or god forbid get fired), and leave the company with absolutely no means to recover, inventory, or secure that data. Brilliant. These services should be stopped via web filters and software install restrictions, let alone via policy. Oh, and kudos to the author to recommend USB and other portable devices in item #2, then calling them cumbersome in this one.
7. HOW TO KEEP YOUR PRIVACY WHEN USING WEB EMAIL – These “nifty tricks” can spell doom for compliance, if that is your company’s game. Tracking this stuff is such a grey area it’s sick. Honestly, I don’t like my stuff logged for perusal by my manager or HR; I really am part of the generation whose social lives tend to revolve around electronic means. But I do prefer to have things logged just in case, from both my personal POV and from the company POV. We need to make sure our processes and actions are transparent so that employees don’t think we’re reading their IM/email logs to get juicy gossip details. Chances are not good for that happening, sadly.
8. HOW TO ACCESS YOUR WORK EMAIL REMOTELY WHEN YOUR COMPANY WON’T SPRING FOR A BLACKBERRY – Another ulcer about data free-flowing out the company door, but at least the author implores readers to talk to IT.
9. HOW TO ACCESS YOUR PERSONAL EMAIL ON YOUR BLACKBERRY – I don’t see a huge problem with this, until you a) run that attachment…oops, that was a virus and screw things u, b) can’t get it to work and ask IT in which case we’ll tell you no and watch you closer, or c) email that really important client from…oops, your personal email hotjerkyboy69foru from hotmail. Explain that to your boss…
The last one is just a light-hearted gimme; a lame contrivance of journalistic levity.
In the end, all of this comes down to a few protections by IT that can make a lot of these issues be blocked properly:
i. software restrictions based on policy and technology, including executable logging
ii. web filtering, or at least logging if not outright blocking
iii. data privacy/sensitivity training and strict adherence to least privilege access rights, better yet, full logging of all data downloaded/viewed, but good luck with that
iv. work with your users to overcome these challenges and find a happy middle ground