/24-7PressRelease.com/ - March 7, 2005 - DETROIT, MI — A certain Michigan company is moving into a new building, and most of its employees, including everyone on its IT staff except the department's manager, have been reassigned workspace in what might be called a cube farm.
Several long rows of small cubicles fill a vast open area that invokes images of a large, bustling call center. The cube farm affords no privacy. Its half-walls allows employees to easily see over the shoulders of the persons seated left and right of them and overhear just about everything those near them say with a normal tone of voice.
Credible research consistently shows that "insiders" - for example, disgruntled employees and script kiddies with network access - pose one of the greatest threats to data integrity and network security. Regardless, the company's executives also placed its systems administrator, programmers, and help desk personnel in the cubicles rather than shared or private offices.
Never mind that the sys admin is responsible for securing the company's business-critical data and information systems.
Neither does it matter that the sys admin and help desk personnel spend hours on the phone with employees, customers, and vendors discussing passwords, permissions, data access, system configurations, and security settings.
Moreover, it does not make a difference to the executives that the code and commands to which the developers and sys admin have access could end up in the wrong hands and be used to devise attacks that bring the company to its systemic knees, or worse.
To the minor degree that the executives are concerned about such issues, they simply instruct the IT staff to just find ways to work securely while being made one of the weakest links in the corporate security chain.
One can only guess what it means to work securely in an environment so conducive to breaches. Perhaps the IT staff should clear and lock their desks in addition to their workstations whenever they go to the lavatory, lunch, or a meeting as well as before they leave work at the end of the day. They might also forward all confidential calls to mobile phones and step away from the cube farm to hold these conversations.
More offices would have costs the company more. However, given that information security is no more than a buzzword bandied about whenever it is time to "pass Sarbanes-Oxley," relegating its IT staff to the cube farm could one day cost the company more than it ever imagined spending on anything.
For companies truly serious about protecting their technological assets, physical security must mean far more than installing alarms and stocking secured showpieces many still call server rooms.
IT staff, especially sys admins and application developers, must also be seen as physical bridges between essential security devices and measures and the proper maintenance and management of that security infrastructure.
Companies must place IT staff and not just IT stuff under lock and key.
richard jones (www.iamrj.com) is a systems administrator and freelance journalist.
# # #