Most small or medium business and not for profit organisation have policies in place to protect, not only the organisation, but also the staff and users from cybercrime. Being human, we don’t want to follow these rules.
We like to circumvent them so that we can do what we like and when.
This is not a new phenomenon, but it has become more pronounced with the advent of the internet.
With the introduction of Bring Your Own Device (BYOD), ignoring an organization’s protective polices has gotten even easier and more tempting.
This anything-goes attitude is prominent among internet users.
For instance, here’s a statement it’s not uncommon to hear at an SME: “My organisation doesn’t have a wireless access point, so I added one to the network.” The person who makes this statement isn’t considering the security and privacy implications of their actions—they’re thinking about the convenience of being able to surf the internet on their Wi-Fi tablet.
Most people do not understand that putting in a wireless access point without understanding the cyber security implications is a severe problem for most organisations. SME’s do not have the robust and secure technologies that enable them to detect a rogue AP, and such an AP can remain on the network long after the convenience is forgotten. We recently did a site survey on a new client and found three of these devices on the network that management knew nothing about. One of them did not have a password, which means that anyone has access to the network.
What about cloud-based storage? Let’s say I want to work from home on a confidential document, so I install Drop Box and copy my super-sensitive document into the folder, and now I can work on it from home, on my tablet or even on my phone. Lucky me. That super-sensitive information that I was working on is seen by someone in a coffee shop, and it is now all over the internet.
Another thing that we have found is that all internal mail for a user can be redirected or copied to an external web server—Google, Yahoo or Hotmail. Once again, privileged and commercial in-confidence information can haemorrhage from an organisation because someone wants to be seen as important.
Now in most cases, an organisation has put in place a policy that was designed to protect them against this situation. But an isolated policy is not enough. In all organisations, cultural change has to be incorporated into every aspect of people’s interactions with technology. Maybe carrot-and-stick methodology will work—maybe just stick. Either way, to enforce a policy you need to change the normal culture of most internet users. That cultural change can be enforced with a set of policies, as well as technological solutions to reinforce those policies.
Businesses have many reasons for wanting to deploy policies to protect their security and privacy. Some businesses want to cultivate work/home balance; others have top-secret information or intellectual property that they want to keep inside the business. No matter what the reason, without changing the culture of the business, the policies might as well not exist.