Three parts to my post here. Part 1: WHAT do people (often) do that's against security policy. Part 2: WHY do people (or at least, me, and people I know) do it. Part 3: Soapbox ("wot I think"), aka why I think this type of policy is silly and what I'd do differently.
Part 1: The "what"
- (Obvious, since it's in TFS) Using your smartphone/tablet while at your desk, assuming that's disallowed by policy.
- Bypassing the firewall/proxy at work by routing through a remote server or VPN, using, e.g. stunnel, OpenVPN, or whatever else can be hacked up (worst case, build a website that accepts a remote webpage as a URL and tunnels all the resources through it).
- Installing/running software, whether it shows up in Add/Remove programs or not, that isn't explicitly approved by IT management. Example: portable apps, VB Scripts, Java class files or JARs, .NET IL, etc. often fly "under the radar" of programs that try to detect and prevent the installation of unauthorized software.
Part 2: The "why" (from the perspective of employees)
- People who want to "get work done", but need to access information out there on the intarwebz that happens to be blocked by an arbitrary and capricious firewall program, will acquire code, programs, or even just plain *knowledge* from remote third-parties, will do so using either proxy-bypassing, tunneling, or third-party Internet connections (like the 3G/4G data connection on their phone).
Often, people will perceive the monolithic "IT" organization as opaque, impenetrable, overly bureaucratic, and taking way too much time, money and resources to acquire the software needed, permit the actions needed, whitelist the knowledge sites needed, etc. in order for people to get work done. They may also have the idea (real or perceived) that the IT organization would actually prohibit the action they're trying to take, but they may feel that their decision is actually in the company's best interests.
They may (or may not) go through their own vetting process of the knowledge/software they are acquiring in order to determine if it is malicious or not, and once satisfied, they may implement it under the nose of IT. They might be doing this because they feel that the IT organization is being overly cautious or needlessly paranoid or poorly informed about the knowledge/software/code they are acquiring, and, given a limited amount of time and budget, they need to get their work done or they will be on the hook for not having it done when the deadline hits. I'll assign this category of activity the term "skunkworks" for the sake of brevity, with the general idea that these activities are actively beneficial to the organization, come with a low risk, generally have very little impact on IT infrastructure, and very high upside for the company.
- People who want to participate in social networking, banking, personal email, etc. in cases where these services are blocked from their work computer, will often access them from a personal device, OR from the work device after taking the measures mentioned above. They are not willing to leave the work area in order to tell their spouse to order pizza tonight, order tickets to a baseball game, or check if they'll overdraw their checking account by stopping by the store tonight. This might also extend to watching a short Youtube video for pleasure, e.g. if you remember a meme and want to share it with a coworker because a conversation you had made you think of it.
They may feel that their actions are harmless to the company and benefit them, and are unwilling to give up this freedom for the sake of the company, because they need to live their lives and can't work eight hours straight like a robot without interruptions from real life. After all, even if they adhered strictly to the policy, they would have to spend a lot of time temporarily out of the office to handle these issues; the issues don't go away just because the employee is compliant with policy - their productivity would actually go *down* if they have to leave the facility to do these things.
I'll assign this category of activity the term "RL" (real life) for the sake of brevity, with the general idea that these activities are neither harmful nor beneficial to the organization on the whole (some of them boost morale while others just leech Internet bandwidth with no benefit to the company), come with a medium risk of security exploits (especially from the Adobe Flash and Oracle Java browser plugins), generally have a low to moderate impact on IT infrastructure, and minimal upside for the company (can benefit morale, but no valid business justification, strictly speaking).
- People who want to do things that are *actually harmful to the company* (downloading/viewing illegal content, acting as a malicious insider to compromise the IT environment, leaking product announcements, etc.) will take many of the same measures as people who want to do things that are more benign. This needs little explanation. I'll assign this category of activity the term "bad actors" for the sake of brevity, with the general idea that these activities are very harmful to the business, come with a very high risk of security compromise, have a major impact on IT infrastructure, and a very high downside for the company.
Skunkworks: Good for business, low risk if people know what they're doing, minimal impact on infrastructure, high upside for business if allowed to continue.
RL: Break even for business, low-medium risk if people know what they're doing, moderate impact on infrastructure, small upside for business (morale boost) if allowed to continue.
Bad actors: Terrible for business, high risk, high impact, high downside if allowed to continue.
Part 3: What I Think
Noteworthy is that the *technical means* employed by all three categories - skunkworks, RL, and bad actors - are very similar or even identical:
- Using personal devices to transfer information.
- Bypassing proxies or web filters.
- VPNs to outside networks from the work device(s) (if possible).
- Sites that *aren't* blacklisted on the Internet, but maybe the company would blacklist them if they knew about them.
The problem is that you lose the very significant upsides of skunkworks and (to a lesser extent) RL if you go to the ends of the earth in the quest to close potential spillage sources from the bad actors. You don't *really* think you can get your IT acceptance processes to be responsive and lean enough to work with skunkworks people, do you? Do you? Because think again. I've yet to see any company that can do it successfully.
There's also the principle best illustrated by Princess Leia in Star Wars Episode IV: "The more you tighten your grip [...] the more [leaks] will slip through your fingers." Basically, people are going to do skunkworks and RL things one way or another; if you close off all the legitimate ways for them to do it, they'll resort to desperate measures, and maybe even (intentionally or otherwise) spill some company secrets along the way.
Rather than crafting IT policies with the intent to say "no" to everything, instead companies should craft policies that are as open as possible, allowing employees great freedoms, while being agile enough to frequently update software (especially to implement security patches) so that users who are *not* bad actors will be secure in their web-browsing and video-watching. Deal with the people who waste too much time or are actively harmful on an individual basis. Those processes are self-limiting because those committing the acts will be fired for performance or disciplinary reasons anyway.
It's amazing to me that 90% of the IT organizations within large companies and governmental agencies still think that they can use a combination of strictly-written policy, fear, and a deep packet inspection firewall to stop people from slacking off at work or leaking company information. The fact is, you can't stop it; you're only hurting the people who would not abuse the privilege anyway, and would actively use it for good to benefit the company if your policies weren't so restrictive in the first place.
Sent from behind a restrictive proxy, while "defocusing" on personal time. I'll make up the time it took me to write this later in the evening, as always.