Wednesday, July 14, 2004

Employee abuse?

I'm not sure which definition of that I mean, yet. InfoSec Writers has an article which describes company losses due to employee abuse of corporate information resources. The article talks about controls and policy but I don't feel that it's taken everything into account.

Policy controls and monitoring are good for security, up to a point. If the controls and monitoring are so overbearing it can have a degrading effect on corporate productivity and security as, past a certain point, it will be held in general contempt by all, including management.

Your security policies have to be enforceable and, above all, realistic. Allowing some personal use of e-mail and some surfing during break or lunch time improves the situation a great deal.