Getting around IT?
The Wall Street Journal had an article today on Ten Things your IT Department Won’t Tell You
(I was able to access it without a username, but YMMV). First off, the article is talking about circumventing your company’s IT security policies – in many cases, this means say goodbye to your job. In other cases, it means serious legal trouble for you and your company.
All companies have sensitive information – formulas, financial data, processes, etc – for example, the Coca-Cola formula. This information is labeled sensitive or secret for a reason. In the case of companies, this information makes or breaks the company. In the case of the government, it protects everyone in the country. In a lot of cases, these policies are protecting your social security number, credit card information, or identity.
There are two ways this information can get out of the company. 1) Someone breaks into the company (physically or over the network) and steals it. 2) They find the information in the “public”. Many of the tactics given in the WSJ article make it easier for the above to happen.
Let’s just go through the tactics one by one and why policies tend to prohibit that particular action.
1. Sending Giant Files. Yeah, it’s annoying that company mail servers can’t send files as large as Gmail can, but disk space, and the capability of backing up that disk are not cheap. Most servers use SCSI disks, which run about twice what those cheap consumer grade disks you buy from CompUSA do. Most employees do not need to be sending larger than 5MB files (the typical quota). If your company or job requires you to be sending larger files – tell your IT department, and tell them why! They can adjust the quotas to better fit with your business needs. Placing your files on an external server such as YouSendIt allows people other than your intended recipient to read the file. And, unless the company is taking precautions, anyone who can break into those servers can also read it. Many company policies permit files/information t leave their network if they’re encrypted, so at least encrypt the data before you send it out of your network!
2. Using software your company won’t allow. There are typically two reasons for this one. 1) Companies want their employees to work, and installing video games on company computers won’t get much work done. 2) A lot of software has spyware that will make your system vulnerable. Take for example the recent Pfizer case where an employee’s spouse installed P2P software and SSNs were shared. Point is, the IT department vets all the “approved” software to make reasonably sure that there is no spyware or other malicious software along for the ride. What you can do: If you need a specific piece of software to do your work, talk to your manager and your IT department about it. If you really need it for your job, you’d be surprised at what they’ll let you install. If there’s just something you have to have that IT won’t approve – there’s probably a darn good reason.
3. Visiting blocked web sites. There are many web sites that other people may feel offended by, and it’s a legal liability to allow you to visit those sites. The whole, you’re supposed to be at work thing comes into play here as well. If you should be surfing for work, you probably have access. Web sites sometimes take advantage of bugs in browsers to retrieve information they shouldn’t have access to. And if your company is like most larger companies, they aren’t always running the most up-to-date software. They’re really trying to protect you as best they can. If you need to get to a blocked site for work purposes, talk to the IT department, they can probably work something out with you.
4. OK, this one I agree to on principal, privacy nut that I am. You should always clear your cookies and browsing history, whether on your work machine or home machine. But here we get back to your company has the right to watch all traffic going in and out of the computer/laptop/network. If you know you shouldn’t be doing it, removing your browser cache isn’t going to help.
5. Accessing your work computer from home. OK, this one I have a major problem with. If you can search your files, so can other people. I don’t care if you have a password on it. Unless you know what you’re doing, the password probably isn’t strong enough. Also, even the metadata (Title, author, etc) of a document can be considered sensitive. Imagine a company memo titled “Details of how the hackers broke in and stole all of our customer’s SSNs.doc” With some of the naming conventions I’ve seen, this title isn’t that far-fetched. Just the existence of that file is a lawsuit waiting to happen. If you need to access your work files from home, 1) get yourself a company asset – laptop or desktop to use for it, and 2) get some kind of secure connection to your office, whether that’s dial-up or a VPN. Most companies have remote access for their employees, and if they don’t, consider whether you really need to access the files from home. On top of that, unless you are a security expert (and even if you are), your home computer is not as well protected as a company system is. It’s just another opportunity for the sensitive information to be stolen.
6. Posting company information to a public server. If you do this, you deserve to be fired. The place you’re posting to may not have the same protections as your company servers, or even your company laptop. Most of these don’t even use SSL to transfer your files. You are not the only one with access to these servers.
7. Tracking employee communications. The article is right – this option is to catch people who are sending company information out. In many cases, you have to send company information out. In all these cases, you should use encryption. In the course of my typical day, I send about 10-15 e-mails to clients or co-workers discussing client confidential information. There are places for transmitting information, but make sure you know what they are and if you have the right/permission to send that information. The extremely long legal disclaimer at the bottom of your e-mail does absolutely nothing. If someone wants to keep/use that information, they’ll just ignore it.
8. NEVER EVER forward your company e-mail to a 3rd party service. Many policies require e-mail to be deleted after 90 days. There is an actual legal reason for this (one I don’t necessarily agree with, but it’s there). If there’s no e-mail trace, it didn’t happen. It’s called plausible deniability aka Cover Your Ass. The archiving requirements of the third party may not agree with your company’s. Also, the access to the e-mail isn’t controlled as tightly. I’m sure many of you have heard of people losing their gmail/yahoo/hotmail account passwords – which someone else just helped themselves to. The web-mail services are good, but are they as good as your company’s? Are you willing to take that chance? On top of that – anyone who’s watching their mail server logs closely, will notice that you’re forwarding to outside the company, then you’ll be handed your pink slip pretty darn soon.
If you need to access your e-mail from home, that’s what a laptop and dial-up or VPN is for.
9. Plugging external devices – whether USB, Blackberry, etc into your work computer may or may not be covered in your security policies. The primary reason for forbidding this is that you can bring viruses and spyware into the company. Then this software has free reign of your network to find and share sensitive files. It’s not just your security you’re trusting any more, but everyone else’s as well. And last I checked, not everyone’s a security expert – that’s why I still have a job π
10. I can’t really help you with this except to suggest you find another job where you’re challenged enough to not be bored.
Most companies have really good reasons for the security policies they adopt. Find the IT group and ask why a policy is why it is. If they can’t tell you, find out who can. If no one can, maybe it’s a bad policy, and should be changed. IT security people realize that you have to get your work done too, so if a policy is interfering with you getting your work done, approach them and ask how you can do the same thing within their policies. Most of them are more than willing to work with you to let you get your work done.
11 thoughts on “Getting around IT?”
Bravo! I used to do IT for a large university and when I read that WSJ article I about did a spit take. The place I used to work had a very liberal IT policy (even more so considering I worked for financial aid of the university) and we still had people trying to do end runs around the meager restrictions we had in place. Of course, I also can’t tell you the number of times we had to completely reformat a machine due to Limewire or Bargan Buddy being installed. I’m still shocked I haven’t heard about a large info breach from that place yet.
Anyway, you said everything I’ve said myself when these issues came up in the past. Bottom line is: these policies are in place for good reasons. Protecting data, protecting the company from liability and insuring everyone can do the job they’re getting paid to do, not because the mean out IT people don’t want anyone to have fun. Shame on the WSJ for such an irresponsible article.
This is a letter I sent to the WSJ on this article:
Re: βTen Things Your IT Department Wonβt Tell Youβ, page R1, July 30, 2007
I was initially intrigued by the title of your article and sought it out after seeing the reference to it on the front page. However, I was appalled by the fact that The Wall Street Journal, as a business newspaper, would seek to usurp the sets of policies and systems that IT departments put in place to protect one of the most important assets a company has β itβs data.
Your article takes it for fact that IT departments seek to keep things from users purposefully β either for their own enjoyment or for some other insidious reason. A well-run IT department should have no secrets (other than passwords, of course) and their policies should be an open book and clearly aligned with the business operation. The reason these restrictions, policies, procedures, and systems are put in place is to protect the one thing that cannot be replaced β confidential company information. Servers, firewalls, network switches, routers β these can all be replaced. What cannot be replaced is the competitive edge and stakeholder value if crucial confidential information falls into the wrong hands.
It is clear that the author does not understand a guiding principle of corporate network protection today β there are more enemies inside your network than outside it. The fact is that your own employees β either through unintended consequences or through deliberate malicious behavior β can do far more damage than most people trying to break into a network from the outside. The suggestions of placing corporate information on third party file transfer systems, using applications embedded on removable devices, forwarding e-mails outside the organization, etc. do nothing but undermine legitimate protection policies and systems that an employer spends a considerable amount of money to purchase and maintain. Of course, if the industrious end-user were to search around on the Internet, they could find everything noted in the article on their own. The damaging aspect of the article is that The Wall Street Journal apparently condones this behavior.
The larger point is that business leaders should align with IT to create policies that make sense for your business rather than battle for turf. Your piece encourages the battle and promotes a separation where there should be unity. There is a balance between usability and security, and every business should afford themselves the time to find that balance in a cooperative effort between IT, business units, and executive management.
_____________________________
Daniel Bobke, MCSE
Director of Information Technology
ICU Medical, Inc.
Well well…
WSJ has misbehaved on a large scale… The article should be titled “How to loose a job in 10 seconds (and get a criminal record)”.
Policies should be clear and leave no room for doubts. Employees should ask IT staff if they want to use other tools, not delivered by IT team – it doesn’t hurt to ask (exactly as Laura wrote above)!
Policies are in place for some good reason – and none of them is to make users’ life a nightmare.
I work for one of the companies in one of probably the most targeted sectors that do business on-line. We all sign DNA before we get access to anytyhing – email, disk space, etc.
If you signed NDA and used any of the “tricks” in the WSJ article, better start looking for a new job – if you can get anything other than an assistant position in a grocery shop, with criminal record like that.
Yes – you may be lucky and nothing happens, but I would say it’s not about ‘if it happens’ but ‘WHEN it happens’. You can be sure that any DNA-like agreement will then be a perfect reason to sack you first and then sue you, to cover all the costs and losses (and some – like brand value, trust relationship, etc – are really hard to calculate), so better start saving money…
I wonder if (or rather when) we hear about security breach or data loss caused by somebody that followed the “advise” given in WSJ… and how long it will take a good lawyer to sue WSJ on the same matter… I’d like to see that.
The WSJ article is badly written – it underestimates the risks and possible consequences – both, from employee and the company perspective. If WSJ wants to show “the cool way” of evading policies, they did the most stupid thing they could.
I’d worry more about “losing” my job than “loosing” it, Tomasz.
Don’t use American Internet users as your guide to the Queen’s English and you’ll be just fine.
Working around the employer’s safe guards seems like a good way to get fired to me!
In addition, we live in the age of Sarbanes-Oxley. Companies that do not properly secure their environments or have employees constantly doing end-runs around policies run the risk of getting in trouble in their audits.
I am always searching for online resources that can help me. Thank you!
Every time i come here I am not dissapointed, nice post
I really liked your blog! Definely I Stumble UP the blog post ! Great Blog indeed π
i want it
Have you thought about including some type of bookmarking buttons or links on weblog posts?
Comments are closed.