digg

Facebook Connect Join Digg About

Employees break IT rules to get their jobs done

darkreading.com 80 percent of respondents said they feel IT security policies are unfair. Forty-two percent said they don't comply with policies because those policies don't align with the reality of what they need to do their jobs. Is this the case at your office?

Who dugg this? Made popular Oct 29, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

352 Comments

show profanity settings
expand all
  • BullHunter, on 10/28/2008, -2/+143People will only follow rules they respect (or understand - same thing)
  • Ghostalker, on 10/29/2008, -2/+107As a member of the IT field I'd have to agree that the policies are unfair. The security of the network takes precedence over the duties of the people doing their job on the network. It's a tough balance to reach, compounded by the fact that the industry is flooded with incompetent network engineers who don't configure their network hardware; just plug it in right out of the box under the impression it will "learn what to do".
  • manstein01, on 10/29/2008, -2/+85Really depends on the policy. But to blame IT departments is ridiculous. That Network Admin is, 90% of the time, ENFORCING a policy, not creating it. Management creates policies.
  • kevincw01, on 10/29/2008, -0/+75option 3: measure employee performance. Cheaper and easier.
  • galv0, on 10/29/2008, -2/+66I work in the IT department of a Fortune 500 company, and I must say, 80% of the users I support are complete morons when it comes to using a computer.

    Unfair policies? Like what? "I want my personal ______ installed." Of course we're not going to go installing any old piece of hardware or software. We have builds that we deploy to PCs that have been tested, managed, and standardized. Once people break free from standardization, the ***** hits the fan. We're not preventing you from doing your work, we're preventing you from ***** up our computers (which leads to more work for us and more down time for you).

    Users -_-
  • uknowwhoibe, on 10/29/2008, -0/+45Actual examples would be nice FTA. Very vaguely written articles naming blanket statistics make me sad...I wanted some real info.
  • Khanvalescent, on 10/29/2008, -1/+40Google cache was my savior.
  • RyeBrye, on 10/29/2008, -2/+34option 4: hire people who give a ***** about what they do.
  • Screwy1138, on 10/29/2008, -1/+31Forcing the change of passwords also introduces security risks. People are forced to choose easier to remember passwords, and sometimes, write them down.

    There are plenty of security experts that recommend long password-change timing (such as annually).
  • 955701, on 10/29/2008, -2/+31I disagree. People will follow rules which align with their needs.

    Imagine your rule is a sidewalk running perpendicular to the direction you want to go. It's not that you don't respect the sidewalk, it simply doesn't go where you are going. If you align the sidewalk, people will follow.
  • thelizardreborn, on 10/29/2008, -1/+28Depends on the company. I want my bank to put security first, even if it means what was a five minute job now takes half an hour.

    On the other hand, if your company produces something, there will be little sensitive data to protect. Put HR on a separate network if necessary to protect employees' confidential info.
  • davewashere, on 10/29/2008, -3/+29Wait a second, you don't block everything AOL-related from your network? That's a poor policy right there.
  • superkendall, on 10/29/2008, -3/+29If the security of the network takes precedence over the working of the company, your preferences are wrong (for the company).

    Instead figure out how best to secure what people are doing.

    Does the company exist to have a secure network, or to GET WORK DONE?
  • granolajoe, on 10/29/2008, -0/+26Thank you. Finally, someone understands reality!
  • sjbdallas, on 10/29/2008, -29/+54Break the policies all you want. What we need is a "wall of shame" to post the names and pictures of all those smart secretaries, salesmen, etc who think that policies don't apply to them. That way when their computer takes down the network because of a virus they downloaded from AOL everyone will know who was incapable of playing by the rules.
    The weak point in IT security today is end user. Hackers know that, industrial espionage spies know that, and virus writers know that.
  • Juaquin, on 10/29/2008, -0/+24In other words, 80% of employees are pissed they can't see youtube at work.
  • GarrettGrimsley, on 10/29/2008, -0/+23The new study indicates that users frequently download unauthorized data and applications to their work machines for personal use. About 80 percent of employees use their company-issued PCs for personal email, and about half use their work PCs for personal Web research and online banking.

    More than half of end users have changed the security settings on their company-issued laptop to view restricted Websites, even though they knew it was against company policy. About 35 percent say it is "none of the company's business" if they have changed the security settings on their computer, the study says.



    That doesn't really sound like it is to get their jobs done.
  • Brian48216, on 10/29/2008, -1/+22IBM actually doesn't block ANYTHING.
    Nor do they monitor your habits. It's too resource intensive and a waste of time. yet they seem to be fairing reasonably well. Coincidence?
  • kevincw01, on 10/29/2008, -3/+22new add-on tries to get you to encrypt your usb thumb drive every time you plug it in. Doesn't work on unix, linux, or any of the embedded computers in the lab. If you stop the windows service (if you have admin on your pc), it will deny you from accessing your thumb drive all together. If I uninstall it, it gets reinstalled within 24 hours....WTF
  • meruru, on 10/29/2008, -1/+19Ours is even better, every 30 days and you can't re-use the same password (or substring so no adding numbers onto old passwords) for 5 years.
  • NightEmber79, on 10/29/2008, -0/+17When you say "policies" you mean the fallout from Sarbanes-Oxley. The sheer amount of paperwork and auditors you have to keep and employ is ridiculous. That being said, you need to have SOX because the greedy and lazy children that tend to run the finance areas can't keep their hands out of the cookie jar and can't clean up after themselves. You want to blame someone for about 90% of this? Blame Enron and Ken Lay. May he have to follow SOX policies in hell! ;)
  • Revenuer, on 10/29/2008, -0/+16Access Restricted!
    Access to this site is restricted. Your activity has been logged. Further attempts to access restricted content will result in an automatic notification to your local school administration.

    Your Login ID: XXXXX
    Reason Restricted: The Websense category "Uncategorized" is filtered.
  • mova, on 10/29/2008, -7/+23What a great way to enforce policies, scare employees. I am sure that will increase morale.
  • MrBabyManSTFU, on 10/29/2008, -0/+15Yes, SOX Compliance is a major pain in the balls.
  • SuperVepr308, on 10/29/2008, -1/+15I have worked in I/T for 15 years and, yes, security policies are usually overbearing and unfair. Still, when the corporate leaders want it that way, we give it to them. I came to peace with this many years ago when I realized it's THEIR network not mine. They just pay me to manage it.
  • Ju1c3, on 10/29/2008, -0/+14people are idiots. thats why these rules have been placed.
    I.E. when people click something says "click here you are infected" or "click here you won 1 bagillion dollars"

    sure you think the IT guy is being a dick, but he is most likely salary, and you not following the rules is going to cause him to have to stay all weekend fixing you screw-up because you thought you in fact did win, 1 bagillion dollars.

    his pay is not in relation to your brain function level.
  • maxlightz, on 10/29/2008, -1/+14Sorry, but you'll need to open a helpdesk ticket before you can Digg this article ...
  • mpdono, on 10/29/2008, -0/+13At my company, if you hit the "more information" link on a websense block page, the websense information page is blocked by websense!
  • RealmDown, on 10/29/2008, -0/+13Bad idea. VERY often this leads to passwords being written down constantly.

    If it has to be this bad, just go RSA.
  • granolajoe, on 10/29/2008, -20/+32Some policies can be ridiculous. At my work, we are prompted every 60 days or so to change passwords. Over and over again, you must change your password.

    About 1 1/2 years ago, I was on good terms with one of the guys in the IT department and I asked him if he could remove the prompt and let me choose a permanent password, which he did. I chose a very difficult password, and no incidents occurred during that entire time.

    Unfortunately, about a week ago, I got a call from the guy who replaced him, asking me to change it, because he noticed it hadn't been changed in a long time. For what purpose? There's no harm caused by such a trivial detail. It's simply done out of sheer routine, and the excuse is usually "for security purposes."
  • GarrettGrimsley, on 10/29/2008, -0/+12You shouldn't "wright" passwords down.
  • MrBabyManSTFU, on 10/29/2008, -0/+12It's also not personal when he get tired of you ***** and turn your activity logs over to management.
  • beccabob, on 10/29/2008, -0/+11The problem with setting up pornhub.com or something like it as a home page is that guaranteed an employee will file a sexual harassment suit because of it. By allowing someone to set their home page to that, it would create a "hostile work environment". Therefore, it does not matter how productive an employee is, the company has to protect the itself against such lawsuits.
  • frequentFlyer, on 10/29/2008, -4/+15We are just covering our asses. It's better to err on the side of caution, and it's not personal.
  • SirTwitchALot, on 10/29/2008, -3/+14The reason for password changes is simple. If the hash of your password is compromised, it takes time to brute force it. Requiring regular password changes reduces the likelihood of such an attack.

    That said, if your password change policy requires changes, but allows too much password reuse, you're mitigating any benefit gained.
  • 3Den, on 10/29/2008, -0/+11Nothing you just mentioned has much to do with security policies.

    It is not generally IT's job to make sure workers are productive or staying on-task - that is their line-managers job.

    Good security policy takes into account what behavior people will actually exhibit, rather than a theoretical model that only works in a textbook.
  • BoneheadFarker, on 10/29/2008, -0/+11From my experience:

    Security policy is created.

    Users find security policy stops them from doing their job.

    Users complain to network admin, network admin explain security policy to them.

    Users get warning from their manager that they need to get the job done.

    Frustrated over the situation and having to decide between breaking the security or letting timelines slide as they fight with the network admin, they say "***** it" and get the job done.

    Network admin reports the users, managers talk to them, users explain their side, manager agrees with them but reminds them that they need to follow the security policy.

    Rinse and repeat.



    The fact that the security policy doesn't actually prevent unapproved activities but does hinder performance never once enters the minds of the network admin or managers. And in the minds of the users, it's better to ask for forgiveness then permission sometimes.
  • TnTBass, on 10/29/2008, -1/+12Interesting read on the day I distribute my updated IT Policies to the users.
    I know it will cause people to complain... specifically about size limits on their mailboxes. I'm sure most users will try to argue that they need a 10GB mailbox to do their job, but in reality, if they managed their email properly, they wouldn't have that mess.
    Users have no idea what challenges their IT admin is presented with. Those 40+% that don't follow the rules cause us the most amount of trouble. What they fail to realize is a proper IT policy not only keeps the network healthy, but also protects them, and the company.
  • kingo123, on 10/29/2008, -0/+10SOX really fudges up everything in my life....I work in the UK but because the company is listed in the NYSE...it has to be SOX Audited...and this forces us to adopt procedures which make life a living hell. The documentation....ughhh...I really hate the amount of documentation I have to create, when make any little changes.

    Thanks America for Sarbanes Oxley (SOX), you really have made my job a living hell.
  • inactive, on 10/29/2008, -0/+9@thelizardreborn: Right, coz that works out so well with speed limits on public roads.

    There will always be people who follow rules, and those that break them. The reason why they break them is pretty important though. Like outdated sodomy laws, some rules just don't make sense and are unenforceable and therefore null and void.

    I believe that if an IT policy is so restrictive that employees can't get their jobs done, IT needs to re-evaluate their policies. After all, policies cut both ways. They restrict people from doing "bad" things (uploading sensitive data to a public FTP site, surfing porn) but when they keep people from accomplishing their tasks (uploading data to customer FTP sites), they have to be revised.
  • twiztidsinz, on 10/29/2008, -0/+9Not really the same thing.
    Understanding a law doesn't lead to respecting the law. If it did, people wouldn't break the law. Understanding and accepting the law, usually because you agree with it, leads you respecting (or obeying) the law.

    Even respecting is different than obeying the law.
    You can obey a law that you don't respect and in some cases you could respect a law that you don't obey.
  • Daxx22, on 10/29/2008, -0/+9We have a particularly lovely one that on top of the 60 days, also requires that you cannot use the same password as the last 50 used. -_-
  • RyeBrye, on 10/29/2008, -0/+9I had a job once where one of my job-related duties required me to install various versions of our software in order to be able to support it. (It was a support position)

    Our IT policy was that only the IT department could install software on our machines... So, I jokingly asked my manager if that meant I could get the IT guy to do half of my job for me every day - and he laughed and said to ignore that part.

    The point is - policy manuals often include so many rules that nobody follows, it's hard to tell which ones you are actually expected to follow. If you tried to follow every rule of the policy manual (that the HR people usually make you sign a note saying that you will) - you would probably piss off everyone you work with and get very little work done.
  • matt.rubin, on 10/29/2008, -0/+9Mangement that doesn't understand technology.
  • jonshipman, on 10/29/2008, -4/+1385% of my work day I'm on Digg.

    The other 15%? I'm on Twitter of course!
  • mpdono, on 10/29/2008, -0/+8Amazingly our websense now blocks out the cache.
  • subliminalurge, on 10/29/2008, -2/+10And then the flip side to that:

    All too often IT sees users as "the people who are watching TV shows on cbs.com for 6 hours a day and getting paid for it while we have to bust our ass 10 hours a day cleaning up the viruses and spyware they collected because they couldn't resist downloading some stupid ***** to put custom "stationery" on their outlook email".
  • sjbdallas, on 10/29/2008, -0/+8Good comment but the problem you're describing isn't with the policy it's with whomever decided to issue you crappy hardware. You should have the tools to do your job correctly but that doesn't mean shutting off firewalls or letting you email your code to your gmail account.
  • superkendall, on 10/29/2008, -0/+8Tell him you will change it, but rather than using a long password that you know you'll just keep a sticky around with your new one on - and ask him which is better...
  • thelizardreborn, on 10/29/2008, -2/+10So you're saying the only way to keep people from breaking the rules is to change the rules to match their behavior?

    Maybe people will follow the sidewalk if there are actually penalties for going a different direction.
  • Fetching more discussions...
    Show 51 - 100 of 352 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.