Monday, April 1, 2013

Employees deliberately ignore security rules

... or at least that's the perception Information Security teams have in 80% of the cases of a survey done by Lieberman.

That number doesn't really surprise me: for one, your usual IS team's perception is in my view always a bit biased toward the "the users are evil/stupid" side and second, most employees care only for one thing: having their job done as quickly as they can.

The main culprit? Convenience! People tend to forget all their security reflexes when two conditions are met: (a) what they are working with is not their own, and (b) bypassing security will be convenient or helpful for them.

As an example of (a): no one with a brain would put a post-it in his/her wallet with the PIN code for the neighboring bank card. However, lots of developers don't see a problem in storing the same information (credit card number, CVV2, name, address) in a single, unencrypted table.

And for (b), we probably all know someone who used an HTTPS proxy to bypass a filtering proxy, or who has all the passwords for his/her applications in a spreadsheet called "password".

Being in the IS team is often exhausting and depressing: seeing people do "stupid" things because it's convenient can be really taxing, especially when you don't have a good management support, and seeing very stupid things getting away without even as much as a slap on the wrist as led a few people I know to reconsider their careers. In that regard, being a IS professional is akin to be a cop: you are celebrated when you help capture the bad guy, but loathed when you stop someone and fine him for not respecting a speed limit.

Employees in a company, like drivers on a road, usually don't consider the policies as applying to them, or justify their acts but stating that the policy is "retard", that not being able, for example, to surf Facebook over lunchtime from a desk computer is stupid and why should it be the case. No matter how reasonable the explanation is (risk of having malware coming in, of having confidential information exposed and so forth), the employee will always reply that "this happens to the others, I am careful and I pay attention not to do anything insecure."

In that regard, management and executives have a few important roles to play: educate the users by the example and show that, even if they could demand the exemption, they don't bypass the security policies, and by making sure that there are commensurate reactions to any actions: I am not talking about firing an employee because he/she clicked on a link in an e-mail, but having an appropriate reaction, such as the obligation to follow a security course or assist in repairing the damages caused. For that last one, I have lived in my previous lives a number of situations where a user would introduce a virus in the network, but would be allowed to go home at 5pm, while IT had to work overnight to clean the systems.

In my views, it is important that this perception of "the users are plotting against us" changes, and it won't as long as the users don't understand that the IS team is not the problem, but rather an help.