Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

10/16/2018
11:20 AM
Connect Directly
Twitter
RSS
E-Mail

6 Reasons Why Employees Violate Security Policies

Get into their heads to find out why they're flouting your corporate cybersecurity rules.
1 of 7

Image Source: Adobe Stock (Michail Petrov)

Image Source: Adobe Stock (Michail Petrov)

1 of 7
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 11:23:03 PM
Re: Believe it or not
Look, let's set apologism aside and get right to the point.

Security and accessibility are mortal foes. This is not a denigration of either interest in favor of the other. It is axiomatic. 100% security necessarily means 0% accessibility (because the thing is so secure that NO ONE can EVER access it NO MATTER WHAT). 0% security necessarily means 100% accessibility (because the thing is so universally accessible as to have eliminated all conceivable barriers -- security and otherwise).

Let the devs focus on features and accessibility (like they already do), and let the security people focus on security. And have someone in charge, product-wise, to balance the interests based on a risk assessment. It is not -- and should not be -- security's job to balance the interests because the security team is naturally biased. Likewise for the feature creeps.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 12:00:48 AM
Re: Believe it or not
You wouldn't believe what I've seen (or maybe you would) in terms of employees essentially committing out-and-out fraud just to get around their company's security and compliance requirements.
3Dmerchant
0%
100%
3Dmerchant,
User Rank: Guru
10/26/2018 | 8:29:17 AM
Re: Believe it or not
To "get their job done" is right on point. I talk to people every day doing things against company policy, like using paper credit card authorization forms that have been forbidden. But these same people are held accountable when the company gets burned on a fraudulent transaction. If management doesn't provide a solution to help them comply with policy while protecting them from blow back on fraud losses, their going to find another way to get it done.
silyrics@hotmail.com
50%
50%
[email protected]tmail.com,
User Rank: Apprentice
10/24/2018 | 4:03:24 PM
Re: Believe it or not
With regard to this comment I would like to add the following: The Security world does not seek to restrict the user, in fact the security world has a very responsible balancing act to achieve. We are advised that a layered security archiecture is a requirement and at least one of those layers involves the uers. If users were comletely safe in all they say and do, there would be no requirement for many of the restritions imposed. Unfortunatel my experience shows the users to be the most valuable asset and the most vulnerable segment of the system picture.

If we look at protecting the system today to ensure there is a system tomorrow, many of the users inconvieniences become quite small in relation. The user opens the pandoras box at logon, i would hope the systems employed are close to transparent from there on....if not then the company may have created a budget environment, sometimes this can lead to not only overly clunky security requirements but also the creation of holes inthe security capability.

Please do not be disapointed when you cannot automatically access files, it is quite possible you are not aware of the security brief from above your head..

 
wmw
67%
33%
wmw,
User Rank: Apprentice
10/19/2018 | 1:21:58 AM
Believe it or not
The most important and missing reason is, that IT does not focus on the user. IT has the duty to support the user, not to restrict the user. In an agile world, it's also outdated to restrict the user to access only for day-to-day work. This might work in a taylorism company, but not in modern beta codex based companies. IT should be the consultant of the users, to not inhibit the work flow of innovative technologies while maintaining necessary security and mitigating risks. To be honest, there is no such thing as 100% security. IT has'n realized that its work is complexity and this is not be done by standardized processes.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...