I was at work yesterday and I made myself my usual morning cup of tea. On the way between the very cumbersome sugar bowl and the cup I managed to spill almost the entire teaspoon of sugar on the counter. Thats a lot of sugar. And a though went through my head - picture a tiny little version of me sitting on my shoulder dressed in red looking like a devil. "Walk away. Noone will know and someone will clean it up." A little angel popped up and told me differently and I did clean up the sugar but while I was finishing the cup of tea I wondered what factors did I take into account before thinking "naaah." And because I am always thinking Information Security (except at home - I love my family) how can I use this unexpected bit of evil in me for good.
When I spilled the sugar there was noone in the kitchen with me. Noone and I am sure about that. I was not being monitored and I know that too. Had there been someone there or just the possibility of someone there I would not have hesitated to clean up the sugar.
There is always some sugar on the counter because not all of it goes into cups - the sugar bowl is too tall. It is accepted that a bit of sugar on the counter is the norm and no-one feels bad spilling a bit of sugar, its almost expected. So, how much is too much?
There are cleaners that work in the kitchen and they would have cleaned up the mess eventually - if no-one else did first. So, the mess would have been cleaned up.
And lastly, I didn't have anything to clean the mess up with. I went to get a piece of paper and scooped the sugar onto the paper with my hand. And then put it all in the bin, but there was no tool for me to use that was designed for the job.
Another thing to consider, perhaps, is that its not my sugar or my counter. Maybe if they were I'd have been more careful.
Now, InfoSec. If your users are abusing your network it may be because
- You are not monitoring them correctly
- You are monitoring but allowing small indiscretions through.. where do you draw the line?
- It is assumed IT or someone can fix the issues arising from stuff like installing Spyware etc.
- They don't have the training or the software in place to help them be secure.
- they don't feel security is their job and the company's data is not their asset.