The World According to Mitch

The day to day ramblings of an IT Professional (and so much more…)

Bypassing IT: A REALLY bad idea.

Wow. I just read an e-mail that made me lose a lot of respect for one of the most respected publications in the world of journalism: The Wall Street Journal (www.wsj.com).

The article, Ten Things Your IT Department Won’t Tell You, outlines several (would you believe 10) issues that employees encounter with corporate systems, and how to get around them.  I encourage you to read the article, but here is the list:

  1. How to send giant files
  2. How to use software that your company won’t let you download
  3. How to visit the web sites your company blocks
  4. How to clear your tracks on your work laptop
  5. How to search for your work documents from home
  6. How to store work files online
  7. How to keep your privacy when using web email
  8. How to access your work email remotely when your company won’t spring for a Blackberry
  9. How to access your personal email on your Blackberry
  10. How to look like you’re working

This article was shared by one of my LinkedIn contacts recently, and if you are looking for proof that the article is outdated, all you have to do is look at the items that list Blackberry and not mobile devices – since very few companies are still on the BB platform.  As a System Administrator and self-proclaimed IT Fascist (there are two ways to do IT – my way, and the wrong way) I nearly fell off my chair when I read the list, as well as the mitigations and risks that are outlined therein.

Let me be honest… as an IT Pro I don’t care if you ‘look like you are working’ when you are not. While there may be consequences for the company, they do not generally affect my bailiwick.  I also don’t care if you try to cover your tracks on your work laptop.  Frankly I think it is a good idea to keep your system as clean as possible, and anything that I need to track should be tracked at the server (cloud) level, which the end user is not able to touch.

Now that I have cleared two of the listed items, let me say this clearly and for everyone: When you came to work for the company, or sometime thereafter (when I or an equivalent me came to implement policies and procedures for the company) you signed a document that is called IT Usage Policies, or something else with the equivalent meaning. It is a document that your HR department has on file somewhere, and it is a legally binding document with your signature on it.

I don’t know what your company’s policies are… they can be as vague or as detailed as your company’s legal department felt necessary, often based on various certifications (ISO, FISP, Sarbanes Oxley, etc…) that your company tries to comply with. It might say something as vague as ‘All systems provided to you by the company are the property of the company, and are only to be used in accordance with the company’s IT policies,’ or it may be as complex as a twenty page document written in legalese with bullet points and sub points and sub-sub points.  Whichever it is, there is a very good chance that anywhere from five to eight of these points are fireable offenses… and at least a couple of them could actually be criminal offenses that could land you in jail.

Yes, that sounds pretty severe… but if you send confidential corporate documents outside of the firewall so that you can access them remotely there is a case to be made (and it’s not a stretch) that you are involved in corporate espionage. If your company does not want you to access your e-mail (or any other corporate information source) remotely it is often not because they are too cheap to spring for a mobile device, but because they want to ensure that any sensitive corporate information does not leave the relative security of the corporate systems.

As a Systems Administrator I have designed the company’s infrastructure to be as secure as the company is willing to make it. Sure, there are some websites that I do not want you to visit because the content is inappropriate, but there are others that inject Trojans and other malware into your system that infect my systems, and can destroy the integrity of our systems.  In most companies the systems are like an egg… we have hardened the outer wall with firewalls and intrusion detection systems, but because you have asked us to make them as useable and friendly as possible the inside is more like the insides… soft, and vulnerable.  So if a particular website is blocked by my systems don’t try to bypass my systems!

Unless we have a specific policy guideline for it (and you have a valid reason for it) there is no reason you should bring your own personal device in, and if we have a policy that you can only use sanctioned and licensed software we have a reason for that too… one of those reasons is that if you bring unsanctioned software in we are responsible for the license (and therefore the license violation).  We would also be responsible for keeping it properly patched, which we cannot do if we don’t know it is there.  We don’t let you install software on your own not because we don’t trust that you know how to press <NEXT> <NEXT><NEXT><FINISH>… we don’t let you do it because there is more to installing software to that.

If you have a giant file to send, ask me for help. There is a good chance that I have implemented a sanctioned way to do it.  Any other way… remember that corporate espionage thing?  Same thing… in or out, I need to be able to see what is going out and coming in.  Out, because you may inadvertently use a system that is not secure and compromised, In because if you want to bring a file into the company I need to make sure it is not compromised, not a virus or malware or anything else.  I don’t want to take your word for it, I want to scan it.  Don’t take it personal, it is not that I don’t trust you… it is that I do not trust anyone, and for that reason I don’t bypass the systems that I don’t want you to bypass because I don’t trust myself either.

When you joined the company (or sometime thereafter) we may have issued you a mobile device. If we did not, and if we did not give you a talk about BYOD (Bring Your Own Device) then there is a very good chance that you do not need to access your data or e-mail during off-hours.  Because of that do not try to check your e-mail on your own device.

I don’t know what your job is. You may work in HR or Sales or Marketing or in Widget Production, I don’t know.  It is not that I don’t respect what you do – I really do.  However I need for you to respect what I do too.  My job is not only to provide you with the IT tools you need to do your job – that is certainly part of it.  However the other part is protecting the company from hackers, data loss, and all sorts of other things that you probably don’t need to consider… but please know that I cannot do my job properly if you go out of your way to circumvent my systems, and I grant you that there are workarounds for a lot of my procedures.

You might get away with it… you might even do it safely. However if I do discover that you are doing this expect to be called into your manager’s office for a good talking to… and depending on several factors know that you may be joined by a security guard who will be tasked with taking your credentials away and escorting you from the building.

Advertisement

Mitch Garvis

2 responses to “Bypassing IT: A REALLY bad idea.”

  1. Don Thomas Jacob (@DonThomasJacob) Avatar
    Don Thomas Jacob (@DonThomasJacob)

    Agreed! On another note, Blackberry is in the list because that was what enterprises were crazy about in 2007. The article is from 2007.

    Reply
    1. Mitch Garvis Avatar
      Mitch Garvis

      I know… I thought I mentioned that in the article? -MDG

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: