Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Privacy

10/16/2018
11:20 AM
Connect Directly
Twitter
RSS
E-Mail

6 Reasons Why Employees Violate Security Policies

Get into their heads to find out why they're flouting your corporate cybersecurity rules.
1 of 7

Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 11:23:03 PM
Re: Believe it or not
Look, let's set apologism aside and get right to the point.

Security and accessibility are mortal foes. This is not a denigration of either interest in favor of the other. It is axiomatic. 100% security necessarily means 0% accessibility (because the thing is so secure that NO ONE can EVER access it NO MATTER WHAT). 0% security necessarily means 100% accessibility (because the thing is so universally accessible as to have eliminated all conceivable barriers -- security and otherwise).

Let the devs focus on features and accessibility (like they already do), and let the security people focus on security. And have someone in charge, product-wise, to balance the interests based on a risk assessment. It is not -- and should not be -- security's job to balance the interests because the security team is naturally biased. Likewise for the feature creeps.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
10/31/2018 | 12:00:48 AM
Re: Believe it or not
You wouldn't believe what I've seen (or maybe you would) in terms of employees essentially committing out-and-out fraud just to get around their company's security and compliance requirements.
3Dmerchant
0%
100%
3Dmerchant,
User Rank: Guru
10/26/2018 | 8:29:17 AM
Re: Believe it or not
To "get their job done" is right on point. I talk to people every day doing things against company policy, like using paper credit card authorization forms that have been forbidden. But these same people are held accountable when the company gets burned on a fraudulent transaction. If management doesn't provide a solution to help them comply with policy while protecting them from blow back on fraud losses, their going to find another way to get it done.
silyrics@hotmail.com
50%
50%
[email protected],
User Rank: Apprentice
10/24/2018 | 4:03:24 PM
Re: Believe it or not
With regard to this comment I would like to add the following: The Security world does not seek to restrict the user, in fact the security world has a very responsible balancing act to achieve. We are advised that a layered security archiecture is a requirement and at least one of those layers involves the uers. If users were comletely safe in all they say and do, there would be no requirement for many of the restritions imposed. Unfortunatel my experience shows the users to be the most valuable asset and the most vulnerable segment of the system picture.

If we look at protecting the system today to ensure there is a system tomorrow, many of the users inconvieniences become quite small in relation. The user opens the pandoras box at logon, i would hope the systems employed are close to transparent from there on....if not then the company may have created a budget environment, sometimes this can lead to not only overly clunky security requirements but also the creation of holes inthe security capability.

Please do not be disapointed when you cannot automatically access files, it is quite possible you are not aware of the security brief from above your head..

 
wmw
67%
33%
wmw,
User Rank: Apprentice
10/19/2018 | 1:21:58 AM
Believe it or not
The most important and missing reason is, that IT does not focus on the user. IT has the duty to support the user, not to restrict the user. In an agile world, it's also outdated to restrict the user to access only for day-to-day work. This might work in a taylorism company, but not in modern beta codex based companies. IT should be the consultant of the users, to not inhibit the work flow of innovative technologies while maintaining necessary security and mitigating risks. To be honest, there is no such thing as 100% security. IT has'n realized that its work is complexity and this is not be done by standardized processes.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-3686
PUBLISHED: 2021-01-21
Possible memory out of bound issue during music playback when an incorrect bit stream content is copied into array without checking the length of array in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobi...
CVE-2020-3687
PUBLISHED: 2021-01-21
Local privilege escalation in admin services in Windows environment can occur due to an arbitrary read issue in XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
CVE-2020-3691
PUBLISHED: 2021-01-21
Possible out of bound memory access in audio due to integer underflow while processing modified contents in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon We...
CVE-2020-11167
PUBLISHED: 2021-01-21
Memory corruption while calculating L2CAP packet length in reassembly logic when remote sends more data than expected in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Weara...
CVE-2020-11179
PUBLISHED: 2021-01-21
Arbitrary read and write to kernel addresses by temporarily overwriting ring buffer pointer and creating a race condition. in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon ...