Re: Astonishing? @ Spartacus
That's it exactly! I guess you said it better than I. People, generally, just don't care about things that aren't directly connected to their work or family. I certainly wasn't trying to imply users are dumb and IT people are smart. I've been around long enough to know those generalizations aren't remotely accurate.
Many professional adults not in IT, particularly those higher up the food chain, often look at computers as a, sometimes, helpful tool but they don't actually need it to do their jobs. The second it becomes any sort of inconvenience they will act to remove the 'problem' and get on with their work.
In the late 1990's the company I worked for did a fairly large study of 200 big firms, and their staff, and found, among other things, that people were far, far more security aware with their home computers than they were with company computers. As well as the reasons why. I'll tell you what we found then address the broader point.
Staff, generally don't value corporate data because they don't know how the company works, or business in general actually. They know what their company makes, kind of, but don't understand how that actually turns into a paycheck for them, just that it does. For example, which of the following things would cause the most damage to your company if it were stolen?
a) Customer details, including bank and credit card info, home addresses, email address & account password.
b) Customer pricing schedules.
The answer is (b), but the breakpoint was really interesting. General and technical staff almost always say (a), and management, sales & marketing say (b). You can fix (a), whereas (b) may very well put you out of business and will certainly have you in court for years. Those lawsuits won't go anywhere, pricing parity isn't a legal requirement, but you'll still have to deal with them.
That isn't a 'fault' on anyone's part, it's just that those without vested interests in maximum company performance don't care and/or don't understand what's actually important. While that is a perfectly understandable, and valid, way to feel about 'the man' you work for, it presents a whole mess of security concerns. In life or death situations, people on the same team have a really good reason (a bunch of them actually) to make sure everyone is doing as they should. If it's just a paycheck people have a different value system and contrary to popular belief, salary doesn't mean anything. Security issues aren't significantly impacted by money either way. Maybe all staff should carry guns! Keep everybody fresh!
Contribution valuations do cause problems though. It makes no difference who you ask, that persons role is the lynchpin that keeps the entire company going. Obviously, that isn't remotely accurate, I've yet to see a successful company that would collapse simply because you disintegrated 50% of the staff. That's not to say what people are doing is useless, not at all. That's to say what they're doing isn't as crucial as they think. Before anyone gets defensive, the same is true of the senior management (if you disintegrate them the company might collapse, but more from shaken investor concerns, not because the CEO knows the business so well).
There's nothing much to do about any of that. You can't make people care, or understand how things work and where their paycheck actually comes from. People all the time say 'I would care more if they paid me more' and they think they mean that, but they don't. I've been through an IPO and everyone in my department was suddenly a millionaire and not one fucking thing changes except the level of drama created by an angry employee who is suddenly rich. They'll stay logged in to everything, they'll put sensitive stuff on USB drives and leave them in a prostitute and they'll print out a list of all their passwords/usernames and leave it in the suite your Russian sourcing guy arranged for them.
It's just Human nature. They don't care. I've found it easier and cheaper to accept that and roll with it than try to change people's behaviors. You can't change them actually, only they can do that. Don't get your hopes up on that.