For Us or Against Us (Part 2)

One colleague from a major consulting company told me that the “inappropriate surfing” problem was so bad in their company that they just stopped all web filtering, with the exception of spyware, etc. Their new approach: leave it up to the individual employees to ensure that they just “took care of business and didn’t end up in any of the wrong places.” The reason: they wanted to remove any motive for staff to attempt to go around filters and try to outsmart company cyber police. Of course, they still had the policy saying it wasn’t allowed.

“We’re not going to watch them anymore. We now treat them like big boys and girls, and tell them to just stay out of trouble. It was just taking up way too much time and resources.” 

What my colleague described was another way of saying that the only “real sin” has now become getting caught. It’s kind of like the common view of speeding on highways, you can go over the speed limit, just don’t get caught. Buy radar detectors, do whatever you have to do, but don’t get caught – or you’ll pay.

My response: that’s a bit like confronting an 18-year old who has several speeding tickets by giving him a new bright red Corvette. You’re not likely to stop the problem by just trusting them more. Good monitoring tools (that can also filter and manage) help keep the staff honest and out of trouble. In cold war terminology – we need to trust and verify. 

So what was the main lesson learned from my “unofficial” research? Regardless of which approach companies took regarding behavioral oversight, they almost all recognized the same problem. We’ve seen the enemy, and they’re sometimes one of us. 

You may be thinking – Hold on a minute. What happened to the assumption that our internal users didn’t know any better? We thought that they were – well, less informed about these “cybersecurity things.” They bring in worms and stuff because our awareness programs are lacking, right? Were all of those speeches on cultural change and various aspects of security and identity theft just a waste of time? Is the audience already smarter than the presenters?

 Personally, I’m not there, yet. I believe cyber education is still relevant for the majority of the people we deal with. I’m confident that social engineering is still regularly tricking people. I don’t think most people know how to stop basic cyber attacks at home, much less bypass web filters at work. We still need to educate … Yada, Yada, Yada …

Still, we’re discussing another small (but growing) section of the crowd. They are: “the rest of the story.” They obviously know what they’re doing. They take up quite a bit of our time which should be spent elsewhere. These people do get it, and they know how to cover their tracks. They’re living on the “wild side,” on purpose, but their actions often put the rest of enterprise at risk of trojans, botnets, and worse. This conduct increases our enterprise security risk in numerous ways.

Next, I’ll tell you what I think the core issue is.