Some people think the rules just don’t apply to them.
Take the nuclear scientists at Los Alamos National Laboratory, for example, who figured they didn’t really need to report promptly that hard drives containing top-secret information had gone missing.
Or the customer service people at America Online. who opened virus-laden e-mails and allowed hackers to grab customer data, including passwords and credit-card numbers.
Now there’s a congressional investigation of Los Alamos, and internal audits are under way at AOL. And no doubt both organisations will launch campaigns to convince all their employees of the importance of security.
They’ll stress that the security rules do matter and that everyone must take the necessary precautions to protect their data, their networks and their organisations.
Forget it, guys. It won’t work.
Employees aren’t blind, and they’re not stupid. They can see which priorities are really important to their co-workers and bosses and they know security isn’t one of them.
And these aren’t special cases. The special cases, the exceptions, are organisations like the military, where people believe — rightly — that following security rules can be a matter of life and death.
For everyone else, those rules are just a nuisance.
Want another example? Last August, former US Central Intelligence Agency (CIA) director John Deutch was stripped of his security clearance because he surfed the Internet from a home PC that was also stuffed with classified information. (“At no time did I intend to violate security rules,” Deutch said later. Yeah, right.).
A Senate investigation concluded that the CIA knew Deutch was mishandling secrets and buried that fact for a year before reporting it to the US Federal Bureau of Investigation and Congress.
Put simply, the US’s top spy ignored the CIA’s security rules, but his co-workers kept a lid on it and even rewarded him with consulting work after he left the agency. Ironically, one of those consulting gigs — just months before his clearance was pulled — was investigating security at Los Alamos.
Outrageous? Sure. But you know the same thing would likely happen in your company if the CEO broke security rules and exposed proprietary information to crackers or industrial spies. As long as that CEO keeps delivering good business results, security screwups will be forgiven.
And you know the rest of your users are just as likely to ignore the rules and cover up lapses. They know teamwork and efficiency and, especially, the bottom line are what count with the boss — not security.
They don’t buy the lip service about security they hear from managers. They know opening all their e-mail quickly, without thinking about dangerous attachments, is the way to get the job done fast.
They know that working at home from their cable-modem-equipped PCs — even if it risks exposing corporate data to hackers — is how you get a promotion, not a reprimand for compromising security.
Maybe someday security will be a corporate priority for your organization. That’ll have to start with your CEO and top executives, and it will take years to percolate down through the rest of the business — to change your company’s culture and your users’ attitudes.
In the meantime, it’s up to IT. So let’s install the firewalls and antivirus software. Patch security holes. Monitor network traffic and server logs. And yeah, remind users — but don’t expect results.
Because until security matters as much to the boss as the bottom line, most users just plain won’t believe security rules matter to them.
And that’s a rule that applies to everyone.
Hayes, Computerworld’s staff columnist, has covered IT for more than 20 years. Email Frank Hayes.