IM is a good example of an app that users love but isn’t necessarily good for business. About a decade ago, IM began to appear in corporate environments, installed and used by end-users without IT or administration approving it. Heck, IM vendors went so far as to create firewall-evading install routines to ensure their IM products would intentionally circumvent IT-initiated firewall policies. IM has even been incorporated into a few corporate communication products.
But for the most part, it’s a complete waste of time for most businesses. Employees aren’t sending IMs to other employees and partners about business issues. It’s mostly a way for employees to conduct more private personal chats on company time without being seen connected to a telephone all the time.
IM worms and viruses are still gaining popularity. P2P programs regularly publish confidential files to the Internet. Illegal music downloads are, well, illegal, and they use copious amounts of network bandwidth. I love to play online poker, but maybe it’s not the best use of my company’s paid time.
How many of your employees during the past 12 months have been buying and installing GotoMyPC without your knowledge? Take a look -- you may find out that the employee has been accessing his or her computer desktop from home for weeks or months. How convenient. No security issues there, right?
If we could trust employees to only install nonmalicious and productive applications, it would be good for the company. But most users will download junk and malware. In general, end-users can’t be trusted to make appropriate risk decisions. Let them trash their home machines instead.
It's like a company car: You probably can't repaint it, jack it up, or add a nitro tank to the fuel system. That doesn't stop you from driving it anywhere you want to go though. You might drive faster with a nitro tank installed, but you'll blow out the engine a lot more quickly and end up on the side of the road or needing a tow. If I prevent you from installing the nitro tank, you'll travel a lot further without a breakdown and will get more accomplished over the long run. Many companies don’t mind you using the company car for personal business as long as you don’t wreck it. Why can’t it be the same with company-owned computers?
What those who say my primary defense stifles innovation and creativity don’t understand is that not allowing unauthorized software to be installed leads to more, faster innovation.
Yes, I make a living from installing inadequate, doomed-to-fail-several-times-a-year, expensive computer defense solutions and fighting the computer bad guys, but I’d love not to have to do it. Really. How wonderful would our lives be if we actually spent more time helping end-users be more productive? Instead of showing an end-user how to be more innovative with their computer, I’m troubleshooting to find why it’s so slow, removing adware and spyware, reinstalling, and fighting rootkits.
Denying all unauthorized software by default leads to more innovation, lower costs, and fewer complaints. The people rallying against this recommendation haven’t tried it.
But if you simply can’t justify denying all unauthorized software by default, consider making two classes of end-users. The users who “get” computer security -- and don’t install stupid things -- can have free rein. But the 98 percent of your users who've just gotta install that free screensaver or free game should be locked down.
If you still disagree with me, tune in next week and I'll show you where you fit into the Grimes Hierarchy of Computer Security model.