J.B. are you able to say who you work for at all (email in trust)?
Just I've been dealing with one company a lot lately, and had some interesting meetings with another so just a little curious
No worries if you can't though.
I look after everyone's general I.T. needs in my company. The company probably has a better security policy for its computers than many others but it always seems to be the end-users are so poorly trained to begin with, it's impossible to give them advice as they are so set in their ways (or more likely don't give a *Fully star out swearing!*)
Well if you have a good policy, and it is not being adhered to why aren't there consequences? No point having a policy if there's no penalty or enforcement.
Whoever is responsible for managing either the IT security, or if you're small and don't have a specific security function IT in general, should be providing user education on security issues.
It's no good expecting users to just put a security hat on and think about things like that themselves, they won't and to a small extent it's not even their responsibility.
Super weak passwords. Like password is the password or username is the password!
Are you using active directory? What does your security policy state about passwords and their length/complexity?
Sending credit card details / bank details via email.
Again as someone mentioned, depending on your business and the context this could be rather important in terms of PCI.
Never keeping their computers up to date, windows updates, new software versions etc.
Ok unless you are a very small organisation and management of a users machine is delegated to them, this is NEVER the users responsibility! This is an IT issue, and if you do indeed manage IT then it's your responsibility imho.
The scariest part is many staff show no interest or knowledge in basic security practices but all own computers at home which they use for online shopping. I imagine many of their home machines have no anti-virus or firewalls and no windows passwords set-up at all + weak passwords for other online services.
The normal attitude is 'it will never happen to me' (ID theft, bank details stolen etc)
Surely prevention is better than cure?
So what is your business doing with regards to information security awareness? If you don't try and educate people then they aren't going to learn, especially not off their own back if they don't have to. You said earlier you have security policies in place, how are these enforced? Is there a penalty for non compliance?
I always think you've got to be into computers to have a computer (and be safe)
In the workplace not at all. The computer is a work tool, a piece of equipment that facilitates a job to be done.
It's the job of IT to manage things for them, and hence why you have a job
We had a user lose their BlackBerry recently so have forced users by prompting them to add a password. I have had several people moan already that every 5 mins they need to re-enter their password.
The security is not there to make life easy, its there to protect the company's best interests.
Why would companies run a BES and not have their handhelds with passwords + encryption switched on? Security is one of their selling points
And the 5 minute thing can be configured easily so it's either a configuration issue or user related
Go tell them to read the CESG recommended config for a BES and then ask them what are they complaining about
