Worthwhile?

In the Monday, July 30 edition of The Wall Street Journal, there was a special section on technology that led with the article Ten Things Your IT Department Won't Tell You by Vauhini Vara. If you haven't read the article, you should take a look because some of your users may have have already seen it, and as a result they may be engaging in activities that put themselves and your IT department at risk.

The Journal Report front page for Monday, July 30, 2007

NetOps ResponsibilityThe Network Operations (NetOps) division is responsible for the overall patch management implementation, operations, and procedures. While safeguarding the network is every user's job, NetOps is the division that ensures all known and reasonable defenses are in place to reduce network vulnerabilities while keeping the network operating. This responsibility includes the tasks detailed below.

Here is the list of the 10 items in Vara's article:

1. How to send giant files
2. How to use software that your company won't let you download
3. How to visit the Web sites your company blocks
4. How to clear your tracks on your work laptop
5. How to search for your work documents from home
6. How to store work files online
7. How to keep your privacy when using Web email
8. How to access your work email remotely when your company won't spring for a BlackBerry
9. How to access your personal email on your BlackBerry
10. How to look like you're working

Vara breaks down each item into four sections — The Problem, The Trick, The Risk, and How to Stay Safe.

Make no mistake, this article was extremely popular. The Wall Street Journal publishes its list of the Most Viewed and Most Emailed articles on WSJ.com for each day, and for July 30, "Ten Things Your IT Department Won't Tell You" was one of only two articles that made the top five on both lists. It was No. 1 on both.

Sanity check

The problem is that the information in this article is unequivocally damaging for businesses and their IT departments, as well as for the users that The Wall Street Journal is supposedly trying to serve.

While I am generally a fan of The Wall Street Journal — and their tech coverage is typically rock solid — I was very disappointed by this piece. Although it did not reveal any information that couldn't be found elsewhere, I don't like the fact that the Journal spoon fed a bunch of dangerous tips to users and all but encouraged a quiet revolt against the IT department.

A few of Vara's tips are fairly inocuous, such as "How to send giant files" and "How to clear your tracks on your work laptop." In fact, many IT pros could pass those items to users along with some tips of when and how to use them. The large file issue can ease the burden on e-mail attachments and storage and the "clear your tracks" tip can be turned into a good privacy and security practice.

However, several of the other tips are dangerous to the point of idiocy, especially "How to use software that your company blocks," "How to visit Web sites your company blocks," "How to search your work documents from home," and "How to access your work email remotely when your company won't spring for a BlackBerry."

The issue of showing users how to access software and sites that the company has filtered is a recipe for disaster. Often the stuff that is banned is banned because it can introduce spyware and malware to the system or it can bog down the computer and/or the network. When users find ways around that, they introduce significant security and privacy risks to the company and they can potentially decrease their own productivity by clogging up their machine with spyware and adware.

In terms of "How to search your work documents from home," Vara recommends using Google Desktop to sync documents between a work PC and a home PC. That might be okay for a few consultants and small businesses, but it's a terrifically bad idea for anyone in the corporate world (The Wall Street Journal's core audience). The implications for privacy, confidentiality, and compliance are severe and very serious, especially if any of the files involved contain customer or finanacial data. Plus, there are easier ways to handle the issue that preserve security, such as a VPN connection and Remote Desktop from a home PC to a work PC.

And then there's the issue of "How to access your work email remotely when your company won't spring for a BlackBerry." Forwarding work e-mails to personal e-mail accounts and devices — as the Journal article advises — is another potential disaster waiting to happen. It raises the same issues of confidentialy and compliance because when you forward all mail, it is very likely that you'll end up sending customer data and corporate financial information to your personal accounts.

While the Journal article ostensibly shows some responsibility and restraint by including sections on "The Risks" and "How to Stay Safe" for each of the ten items, the author either does not fully understand all of the security and compliance risks involved or simply chose to make light of many of them. Either scenario is a strong indictment against the article.

The compliance issues, while mentioned in the article, are much more serious than Vara seems to realize because they can expose a company to major financial risk (in the form of fines, lawsuits, and legal fees). Likewise, the security issues are much more serious thatn the Journal article presents them. Hackers have gone professional (and in some cases joined forces with organized crime) and are out there looking for employees and companies to steal data from and use for blackmail or money laundering. The TJX security scandal could serve as a sober warning to that effect, once all of the details come to light.

While users often get frustrated with the IT department and the restrictions that it puts in place, the answer is not to train people how to make an end run around IT. In many companies, there's already too much of a disconnect between IT and the rest of the organization because of the fact that IT often plays the role of a policeman — to serve and to protect.

The root problem that The Wall Street Journal was trying to address is that many users want and need to do some personal computing on their work machines and/or access work apps and data from their home machines or devices. That's a reality that businesses and IT must face and must come up with some workable solutions.

Since many of today's users access their e-mail and work during "off hours," it's certainly reasonable that they should also be able to do a little bit of personal computing during company time. There simply needs to be a safe and relatively easy way for them to do it. Some companies have solved this with separate virtual machines, using VMware or Virtual PC or a Web-based solution like G.ho.st. Other solutions need to be explored and big players such as Apple and Microsoft, as well as small vendors with creative solutions, need to all be involved. This will be an important part of the next generation of operating systems, devices, and a borderless information security strategy.

For The Wall Street Journal, which depicted itself as a "public trust" during its recent acquisition tug-o-war with News Corp, fueling a turf war between IT and its users is not the kind of journalism that meets the high mandate that it has set for itself.

For IT departments, the genie is out of the bottle on many of these tips and tricks that allow users to circumvent IT procedures. As a result, IT departments need to aggressively partner with employees, educate them on the severity of security and compliance risks, and find ways to meet the needs of users whose computing experience now overlaps between work and home.

What do you think about The Wall Street Journal's list? How do you think IT can help users bridge work computing and home computing while still maintaining data security? Join the discussion.

Tags: Security, Wall Street Journal, Information Technology, Compliance, E-mail, User, Jason Hiner