On July 30 the Wall Street Journal published an article entitled “Ten Things Your IT Department Won’t Tell You“. There was a lot of angst among security bloggers. Anton Chuvakin chimed in with a post that included:
Users do this and are NOT caught since they manage to bypass the deployed security controls. Ah, this is a fun one; that is what makes security a “calling, not just a job” for so many. Go back and deploy, tune, log (yes, logging all such activities is important, especially when HR wakes up and swings the ax…) and have fun. 0days and mafia hackers might be more challenging to fight, but users are surely more numerous 🙂
But I want to make sure we don’t miss the point, which is the continued need to educate our users as to why these defenses are important and what we are protecting them from. The reason people will try to go around our defenses is because they don’t understand the importance of adhering to the rules. Sure the WSJ was borderline irresponsible in publishing this, but it’s not like a quick search wouldn’t yield roughly the same information. If you do a crappy job of selling the reasons why the policies need to be followed, then you shouldn’t be surprised that users go around you. Remember that it’s easy to be Dr. No. It’s much harder, but ultimately more important to be Mr. (or Ms.) Yes, But.