An old adage in computing[1] is along the lines of

"if it's fast and ugly they'll use it and curse you. If it's slow, they will not use it"

Since this book has been in priint for nearly 20 years (and the phrase pre-dates it by some time), you'd think that the people who produce security "features" would've twigged, that slow features are no features - as people will disable, subvert or otherwise work around them.

If you want to implement security features - and all of the listed reasons for lapses have a technical solution, then the first rule must be to make them transparent to the user. He/she must not be aware of them, they should not interfere with the users' goals, or response time or as the wise man put it, they won't be used.

[1] The Art of Computer Systems Performance Analysis - Jain, 1991

of the No S**T Sherlock award is.

But a business needs to "empower" their employees by training them in the art of war that is working with digital information (does not only matter about content, personal, financial, CAD drawings, etc .. its the context that also makes them valuable).

Businesses (and politicians) need to understand all the issues of data handling .. i.e. the whole data lifecycle model .. how it is created/captured, how it is stored, how and by whom it is accessed and how it is destroyed. Understanding the relationship between data and how it is used is as fundamental these days as understanding how to build, ship and sell physical items .. data is no different, except it is much easier to lose copies of itself. We protect gold shipments differently to nappies and for good reason .. information is no different, appropriate controls at all stages in its lifetime is a must.

I work with Data Classifications, RBAC, encryption, lost and stolen laptops, PCI, DPA, you name it and it is clear that people want to "do the right thing" but they need both the carrot of helping their company not go down the pan due to a data breach and the stick of being fired if they fail to apply the *published* risk management policies.

So engage your staff and tell them why data is valuable to a business and why they (and you) will lose their jobs if they are caught following bad practices ... but please do actually ensure that you TELL your staff and keep telling them at regular intervals! And in these days of plausible denability ensure that you have immutable audit logs of all data handling transactions (that is where the technology can help 8-).

I work in IT support for a large London council ....

Bloke logs a call about his laptop problem, he brings it into us.

I find written on a piece of paper inside the laptop bag:

- The disk encryption password

- The local user username

- The local user password

- The URL for our VPN (also in his IE favorites)

- The user name for the VPN hardware token

- His password for the VPN hardware token

- Instructions on how to access the VPN

- The guys Network username

- And his password right into our network

And,- The actual Hardware token was in the bag as well!

Unbelievable!

I'm afraid that more than 90% of the people that I deal with just don't give a hoot, whether or not the laptop is their property or their company's. They throw them around, leave them on permanently, while attached to a power supply and leave all manner of data displayed on the screen.

As for malware, forget it. Most of them have heard terms like virus, trojan and adware but don't have a clue what they mean or how they are contracted. They are ordinary, non-technical people who have been given this lump of equipment for them to write letters or enter some sort of data. They are not interested in how the thing works, it is just their job to use it. If it gets infected, it is just broken. If it gets stolen, they will just have to ask for another one. After all, it's only a bit of old electrical equipment.

...think they own the computer any more than they own their desk or phone. They don't have admin access, they don't install stuff, they don't configure it, any more than they empty their own bin or fix the taps in the washroom themselves. It's IT's job.

That helps in preventing them from bypassing security features.

Encrypt. Configure the encryption so that it locks the device if it hasn't talked to the server after a given number of days. That ensures the thing's connected to the corporate network from time to time and gets the patches and AV updates you're forcing out.

Treat breaches that can't be locked down (like the bloke with the bit of paper detailing all the passwords (we've had this too)) like any other corporate security breach - official warning on the record via HR. Mandate the use of encrypted USB sticks only, and use widely available software to lock the machines to only accept these.

Lots you can do. If you suggest all that and senior management throws it back in your face, point them to the possible consequences. And when you have to take the network down to clean all the viruses off which their refusal to follow your advice has let on, refer them back to what you told them. They won't like "I told you so" but they might take a blind bit of notice in future.

Oh, too complicated to collate evidence? They will want to go to tribunal? Costs money to implement such measures? They claim not to have read their employment contract and the companies policies? They are ignorant of the Data Protection Act? (no defence for anyone?)

Start sacking, fining and jailing people .. yes make examples of them ... and then you might see incidents lower for a bit ... got to keep it up though because people are human and suffer more bit rot than your average Windows installation.

As Melchet would say "shout, shout and shout again". (Thank you Darling)

Implementation of the rules is not an IT issue .. its a business issue and no different from requiring people to correctly do their timesheets, performance reviews, expensive (sic) claims, health and safety training etc.

"Security is everyone's responsibility" should be the corporate mantra.

it's worse than that.

If the lappy gets infected, they have a good reason for not doing any work. Don't have to wait for the next (thin) covering of snow: "Sorry I couldn't submit my report on time, the laptop got a virus - yes I'm still waiting for the IT people to fix it. They say it could be days before they get to it." So now it's "bloody IT, why don't they pull their fingers out and fix my people's problems". While the indolent desk-jockey spends their days annoying their colleagues (thus preventing them from working, too" or "works from home" ahem.

Better yet. Didn't like the paltry pay rise? Get you own back & "lose" the laptop. That it appears on ebay the next week and makes up for the rise you think you should've got is immaterial. Or if the newbie gets a new, wizzy laptop and you want one too, well the same applies.

Oh yes, while I'm at it. @I got one two weeks ago ...

Just so's you know. *All* the users do this, all the time. You just discovered one, single instance.

It's shared responsibilities really. The first responsibility is with IT to implement security policies and enforce them in a way that doesn't get in the way of the user. As an example, where I currently work, the standard laptop install includes a BIOS password (setup so that the password is also required to come out of hibernation or reboot), full disk encryption, automated user file backup and a proxy that forces you to go through VPN if you want to access the internet from a network that is not the company's network. We are also all issued with a security token to access the VPN or some web enabled services from any computer. Accounts are locked up with standard priviledges. You can request temporary admin priviledges but you have to specify why. None of this really interferes with actual work so there is no real incentive to bypass it.

There are other things that you could consider doing, such as:

- issue employee with an encrypted USB key (such as an IronKey: www.ironkey.com) and tell them that if they want to transfer files on a USB key, they have to use that one, no personal key allowed => you enable them to do what they want but on your terms and in a secure manner

- use features like the "guest session" on Ubuntu 8.10 so that they can let someone else use their laptop temporarilly in a restricted session that is wiped out when finished

Of course, with such a setup, there are a lot of things a user could do, such as:

- leave his laptop on the train,

- burn important data to a non-encrypted CD and forget that CD in the pub (does anybody know of any software that is easy to use that can produce encrypted CDs?),

- write down all his passwords on a post-it note stuck to the laptop along with the security token

And that's where you should educate your users. Make sure the policy is clear and easily accessible. Then make sure all employees know why the policy is in place and what are the consequences of not following it.

At the end of the day, it's the usual conundrum of giving users the possibility to do what they want, while being in control of what they can do.

Everyone here is griping about the ineptitude and lax attitude of users. Bollocks I say. This boils down to incompetent management. Management often has a lax attitude about security until it bites them in the rump, at which point they round on the IT department.

This is typically the part where half the IT department quits in frustration after years of being told by that same management that they were being "too paranoid" about issues like security.

The problem really boils down to usability. Users, management, even most admins don't want to have to remember 50 different passwords, their context, the user and domain they run under, etc. etc. etc. It's just a tool people use, and until the security portion of it becomes a problem, most will wonder why bother with it?

Thus this has become a multi-fold issue: myopic management who don't want to hear what they consider doom-mongering from their techs, techs who can't or won't make security simple and easy, and users who are unwilling or unable to understand that they should be treating access to information as something worthy of more complex consideration than a hammer or wrench.

Rest assured however that IT will always take the blame. You know you work in IT if you have no authority to do anything, and all the responsibility if it goes wrong. Especially if it is actually someone else's fault.

It's realistically up to the end user. Yes those of us in the position of making the policies, dishing out the hardware, issuing passwords, etc etc need to do our part. And make sure that in doing out part we try to instill in our users the importance of maintaining security. That ranges from doing our best to ensure best practices in terms of physical security, software/hardware hardening, encryption, and user training. However at the end of the day we can't follow the users around, cant prevent them writing passwords on sticky notes, or as one person posted above receiving a laptop with "the keys to the kingdom" inside the bag.

There is only so much we can do and ultimately the onus for the security of a laptop or any other portable device that might contain information you're company wants to keep private is on the person issued said device.

Just to add mine to what I'm sure will be a litany of horror stories. Last year I was contracted to integrate PGP desktop into the systems in half a dozen offices of an international stock brokerage firm. I had no more gotten done with one office than I had to go back to another one of their offices to complete installation on a laptop that a user had not brought in. As I'm walking back to this persons office I see nice formatted word doc on everyone's desk which had in letters big enough to see with a passing glance from several feet away their PGP log in credentials, local computer username and password, as well as their public and private key pass phrases. I asked the local IT wonk about it who cheerfully showed me what he had knocked up. Said document also had instructions on how to log into their VPN (including their credentials for VPN log in) and other internal systems which would give anyone who picked up that paper access to the personal financial information of every client (read thousands of clients) in that office. He had made it up for one bitchy user who didn't see the need for all this "computer security nonsense" then in a stroke of sheer stupidity made up one "cheat sheet" for every user in the office.

Thus is the perils of security at the hands of spineless IT people and end users who think that there is no reason to protect the most sensitive personal and financial details of their clients.

Please see earlier comments about transparency.

Whoever designed a scheme requiring three usernames and four passwords should be nailed to the door of the IT department as a warning to others who fail to consider their users' needs.

(I assume that you also mandate long passwords, full of funny characters, with monthly renewals).

If you honestly believe such conduct "unbelievable" then you're in the wrong business.

Anyone faced with that many things to remember will always resort to pencil and paper.

Have a single username/password for EVERYTHING. No exceptions.

Make the password immensely strong and impossible to remember.

Change it monthly.

Hand them out to users, written on a $100 bill. (Or even larger depending on the value of the data being protected).

Anyone who hasn't lost it by the end of the month gets to spend it once they've got the next one. That should ensure they look after it.

Anyone who writes it down anywhere else, or who's password is found to have been written down anywhere else (implying that it was inadequately guarded), is fired instantly. Even the boss.

the reason to can put multiple pepol in to is there are times I need to see who else it was set to for example a email about problem spreading over our mobile vpn and accounting system I need to see it has been sent to just me (vnp) or me and our accounting systems expert and if not I need to email him

"Laptops are not securable."

Of course they can be, silly ... This one is. But then, this user knows what he is doing.

"Stop with the nonsense already."

Ain't gonna happen. Can't sell advertising without entertaining the GreatUnwashed.