Batye suggests a more “proactive approach” to security, such as internal and external testing for security holes; a system for downloading, installing, and configuring updates and patches; and regular security hardware upgrades. Does your budget value security? It will show in your vulnerabilities…

Chippy088 makes a familiar point, which ErroneousGiant seconds: The weakest link is the user.

Because they think you have the system well protected, they don’t care where they browse, or what they download. They are, in the main, non technical, and think it’s covered, or have not been made aware of the dangers. The attitude being, I haven’t had a problem at home, so what harm can it do. I have seen many small companies who regard the user as a minor consideration when making security decisions.

He also warns against social networks, which often create a back door entry point into companies. His suggestion? “Aggressive methods.” Company policy should reflect possible vulnerabilities, and internal methods such as penetration testing could be done without too high a cost.

While ErroneousGiant agreed with Chippy on some things, he was willing to take responsibility, as an administrator, for either “preventing users from putting the company at more than accepted risks or to educate the users about the risk. The IT team are just as responsible for any breach by either not verify[ing] security properly, not having the correct security in place, or not shouting loudly enough if it’s not in place.”

Newer member Ekardris presents an interesting argument and plan of action:

We all know that users inside and outside the organization are going to attempt to breach security. (Whether they meant to or not) Therefore we have to plan that it will happen, and not be surprised afterwards that it did happen. Our job is to devise systems that will keep 98% of attempts made by amateurs and the ignorant from being effective.

Then plan contingencies for the 2% who we can’t stop from breaking through our security.

He says that most users assume they’ll be kept out of places they shouldn’t be, and so when they discover access to off-limits places, the blame for what happens next falls on IT. It doesn’t take a sophisticated hacker for the most part; there are gaping holes in enterprise security in most places. Some of the most obvious mistakes Ekardris finds:

• Administrative accounts being used by multiple people
• Common knowledge within the organization or IT department of the Admin password
• Tracking turned off on corporate data files
• Service accounts that are compromised or are the Administrator
• No Security Policy documented
• No documentation on security groups, policies and/or explicit rites
• Inconsistent backups
• Poor understanding of router and firewall ports
• Only one security wall between the corporate data and the internet

In answer to these d’oh! moments, he included some tips for companies avoiding Sitting Duck syndrome:

• Continuous auditing with the IT groups. Focusing specifically on corporate requirements, industry best practices, corporate policies and procedures.
• Reviewing contingency plans in case of failure and security breaches.
• Assigning a “security” role that focuses specifically on the organization’s security. This role would be responsible for reviewing corporate security policy, continually gathering security requirements from departmental stake holders, managing security audits within the organization, and maintaining a discussion around these issues within the entire business organization

For more from Ekardris and some of the red flags he’s come across during audits, check out his full response here.

How is your company handling the heightened awareness of security these days? Have you seen some of these vulnerabilities or implementations in your own industry? Let us know in the comments section or email me at Melanie@ITKnowledgeExchange.com.

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.

After less than a minute of sitting in the session, Brandon Savage of Box.net was in the middle of addressing the point of “IT as a bottleneck.” IT causes reluctance to move despite the opportunity for improvement. A woman in the audience who works for a pharmaceutical company on the IT side, asked about building solutions rather than buying a massive, large-scale solution. Her company, she said, prefers to implement bit by bit, testing and measuring (and beating dead horses) along the way. The panel’s treatment of IT departments was suddenly proven correct.

But not all IT departments want to throw a wrench in the productivity wheel. Another man in the audience questioned what to do when faced with end users who couldn’t care less about major systems like SharePoint. “When they’re outside the firewall, they just want the simplest option,” he said. Google Docs was named as the main rogue weapon of choice for those in no-firewall’s-land, but Savage dropped DropBox’s name as another form of employees going rogue. Savage took his opportunity to explain how Box.net is a better option than DropBox, with its ability to track files once they’re out in the wild, whether it’s who’s looking at what, how many times, and from what IP address.

Is IT fighting a losing battle?

Capabilities such as Box.net’s tracking features provide some hope that IT isn’t on its own. The search for a simple, user- and IT-friendly solution isn’t completely in vain, as long as IT departments keep some tips in mind.

• Don’t just say “no.” Just because you know all of the reasons that sending the clients’ account information via Google Docs doesn’t mean that Bill from sales will know. One of the audience’s voiced complaints about IT departments is that they’re not helpful enough. Explaining why the extra steps to access SharePoint instead can save you headaches now and later.

• Be proactive. Savage says that the majority of sales leads at Box.net are incoming from IT departments. While it may be a thorn in your foot that consumer applications are shiny, attracting every Joe Schmo at your company, they are necessary for pushing enterprise vendors. Savage pointed out that as long as there are consumer application start-ups with fewer obstacles for their end-users, they will outpace enterprise solutions. “As consumer applications become more accessible and used, it opens the end users’ eyes to the ease that’s possible, but also opens IT’s eyes to the vulnerabilities.”

What are your concerns when it comes to outside perceptions of IT? How does your company keep communications open amongst departments?

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.

That’s the question that the Supreme Court has agreed to tackle as it reviews USA Mobility Wireless Inc. v. Quon. As CNN reports, the case would cover what, if any, expectations of privacy federal employees have at work when they’re using their employer’s equipment:

The department has a “Computer Usage, Internet and E-mail Policy” that gives workers only limited use for personal communications. Quon signed a statement acknowledging that “use of these tools for personal benefit is a significant violation of City of Ontario Policy” and that “users should have no expectation of privacy or confidentiality when using these resources.”

…

It was only in reading the transcripts voluntarily provided by Arch Wireless from its electronic archives that the often-racy messages to his wife, his girlfriend and a fellow officer were revealed, prompting an internal department investigation.

A review of one month found that Quon had sent and received 456 personal messages while on duty, an average of 28 per shift, and only three were deemed work-related. A federal court judge characterized many of the messages as not “light personal communications,” as defined in the policy as generally acceptable, but words that were, “to say the least, sexually explicit in nature.”

When I’ve spoken with IT professionals on the matter of personal privacy at work, the number one piece of advice is spell policies out. It seems like the City of Ontario did that, and still ran into problems, suggesting what a thorny issue it is.

GigaOm’s Sebastian Rupley also takes on the case, noting other cases where the federal government has been accused of overstepping its bounds, particularly when it comes to social media:

This isn’t the only recent dust-up involving the privacy rights of government workers online. Earlier this month, the Electronic Frontier Foundation (EFF), working with the Samuelson Law, Technology and Public Policy Clinic at the University of California at Berkeley, slapped a lawsuit against half a dozen government agencies for refusing to explicitly state their policies for using social networking sites for investigations, data collection and surveillance. The suit specifically charges that the agencies are withholding information on data they’ve collected from their workers’ usage of Facebook, Twitter and other social applications.

The article tackles the costs, infrastructure and support challenges in handing over IT decisions to users, but generally is pretty keen on a rosy future where companies cut costs using consumer tools, support for non-standard choices is handled via internal user self-help forums, and data leakage is taken care of via virtual machines launching here, there and everywhere.

Read it and let me know what you think, in the comments, on Twitter at @Morisy, or via Michael@ITKnowledgeExchange.com. I’m more than happy to keep your information private if requested.

More on users and IT:

• CIO’s cost-cutting measures include move to Gmail
• Everyone hates your insecure password rules
• Help user-IT relations with a party: So crazy it might just work

]]> http://itknowledgeexchange.techtarget.com/IT-watch-blog/the-wsj-takes-aim-at-your-it-policies/feed/ 0