A male was caught urinating behind a vehicle. He told police he could not find a restroom. Police advised against repeating the behavior.
I just couldn’t pass this story up after I read it while looking for a police blotter to comment on. The funny thing is the correlation hit me immediately. Despite knowing they shouldn’t do it, end users install things on their work computers that aren’t always approved. The problem usually stems from a need to complete a task for work that can not be easily achieved with the tools they have. We all know why this is bad. We have to protect our assets (phsycial and intellectual) not only from malicious software, but also software that causes unexpected behavior on the computers.
The question you need to ask becomes “Is the process I have in place to get items approved to complex”. Sure you will have those people who will install anything if you let them, but many times there is a perceived benefit to the persons work performance. So do we make the process as simple and straightforward as possible when the need arises. Do end users have a clear sense of who they need to contact and what information to provide to make the case? Are end users advised of the steps needed to validate software for use, and are they kept notified during the process? When the request is denied is an effort made to work with end users to get them the tools they need?
If you answered all or some of the above questions no you may see where the gap has been created. Taking in to consideration the reason your organization exists (usually to make a profit), you need to ensure policies don’t make you a hinderance. Well defined policies that support both employees job funtions and meet security are the best. Take a look at your policies and procedures and make sure they are clear. Educate employees on not only the hazards of unauthorized software, but the benefits of working to get software authorized. If they see the process as friendly to their needs they will begin to use it. Poorly written policies and poorly executed procedures are like putting up portable bathrooms and not maintaining them. If they are disgusting people will just go some place they are not supposed to, like in a bush or behind a car.
This doesn’t mean you will always approve every request. However, if you take the time and educate end users why you couldn’t approve their request they may better understand what other tools they can use and be more willing to follow procedures going forward. It’s worth a try.