Motley Crüe never sang about this one

InfoWorld has a report about how smokers may be the weakest link in IT security.

Give me a break.

Piggy-backing and unlocked doors aren't peculiar to smokers, it's peculiar to employees with a lax attitude toward security. It's peculiar to employees who read the memo as yet another "unnecessary" security measure from some paranoid pointy-haired member of management.

I recall vividly the story of a man who lost his well-paying IT job in a local public utility because he brought his son to work one Saturday and the kid walked off with several corporate laptops.

So should we label employees who are also parents a security risk? After all, it happened once, it could happen again.

Face it - employees are your biggest security risk. Period. All employees. Whether they smoke, have kids, are disgruntled, are running IM, Skype, or viewing pr0n, whatever. They're a security risk both when they're using technology and when they aren't. Whether they're in the office or working at home, at a public kiosk or the airport - they are a security risk.

Some people take security seriously, others not so seriously. Unless you're willing to back up your organizational policies with decisive action, your policies on piggy-backing or locking doors are merely resulting in a false sense of security for upper management. Because they aren't effectively enforced.

People didn't start using strong passwords or changing their passwords on a regular basis until they were forced to do so by the technology. The policies existed, but since they weren't enforced, not everyone was compelled to comply with the policies.

Physical security policies are no different. Unless there's a way to enforce the policy, some people are going to ignore them. Unfortunately there are very few technological answers to force employees to comply with your "door locking" and "no piggy-backing" policies, so you're going to have to find a different way to enforce that policy.

We have zero-tolerance policies for pr0n and sexual harrassment, and they should probably be extended to physical security. Implement a zero-tolerance policy for piggy-backing and open doors and then install some technology to capture on video the perpetrators of such heinous violations and apply the consequences.

People with children generally understand that unless you're willing to follow through and apply the consequences of failure to comply on children that such discipline is ineffective as a method to modify behavior. Security policies that fail to follow through and apply consequences are no different. People are just grown up kids and they've already tested the boundaries and found them flexible.

You can ban smoking on your premises and feel like you've accomplished something, but what's next? Banning lunch? Banning entering or leaving the building except at designated times?

Either enforce the policy with some consequences or don't. But don't be labeling a small percentage of your employees as "the weakest link" when the truth is that they are all your weakest link.

Scapegoating is just another form of fingerpointing. And when you go pointing at someone, remember that there are at least three other fingers pointing back at yourself.

Imbibing: Mountain Dew

Technorati tags: , ,