There was an interesting sideline during yesterday's briefing on security in small businesses.
Walter Scott, the CEO of GFI, who had sponsored the survey, was speaking about some of the security issues that were facing small businesses and mentioned, in passing, that one of his employees was copying all his work emails into this Gmail account. The employee, who was described as a top salesman, was doing it for perfectly innocent reasons - because the Gmail search was better than the Outlook one - but the action was highlighted as the sort of thing that can leave a company vulnerable and an example of the sort of thing that savvy companies would stamp out.
While it's true that the copying of information to a webmail account is a clear security risk, I can't help feeling that GFI was missing the point. The question I'd have been asking is why as a company, we were using an email system that was so cumbersome that employees were going to the effort of cutting and pasting into another system rather than use it. And I fully understand that employees' actions because I've done exactly the same thing myself.
GFI (and other vendors) are right to be concerned at the number of security breaches caused by employees breaching the system but I do wonder how many more could be avoided if corporate IT systems were more receptive to their users' needs. I once worked for an organisation that standardised on a global email system that seemingly had been designed by some dsiciple of Torquemada to make employees' lives miserable; consequently, we as employees did everything we could to avoid using it - so a great amount of communication was carried out by webmail - not great from a compliance point of view, but probably very efficient from a productivity view.
There are two issues here: one is that the world of work is changing and the proliferation of social media sites such as Facebook, MySpace and Twitter is causing a host of security problems for companies. GFI's Walter Scott had the simple answer "Ban them. Stop people from looking at them". although that doesn't sit very well with the way that companies are being exhorted to use such social media tools for marketing purposes. And then, there's the increasingly blurring together of personal life and business life and the ramifications that has for securiity provision. There have been much debate lately about the impact Generation Y employees will have in the workplace and how to make best use of them; it's not an issue that's going to go away.
The second issue is the way that employees are treated. A GFI manager was telling me about one case that the company had to deal with where an employee who had been repeatedly passed over for promotion managed to sabotage a company's entire network. Again, something that became a security problem was caused by ignoring a particular grievance that an employee had - something that could have been dealt with easily.
The financial climate could protect companies from a lot of employee problems (although the rising rate of unemployment might well cause problems in itself) as workers will be reluctant to leav employment and won't be prepared to rock the boat too much, In a few years, however, the market is going to shift and companies are going to have to adapt to keep their workers. GFI's survey illustrates some important truths about the lack of awareness among small businesses and there's clearly an educational process to go through - but that shouldn't blind us to the fact that there's also a good deal of work needed to ensure that a company's employees are fulfilled and have the best IT tools to work with. The best employers will take that into account - the worst are storing up problems for the future.