The Role of the End User

Nothing much new here, but just to underscore the critical nature of education, enforcement, and effective action:

http://www.informationweek.com/blog/main/archives/2007/12/we_need_to_talk.html

John Soat talks about how end users take untold liberties with IT policies and probably take them as suggestions rather than mandatory rules. It's quite complex as to why this happens -- it's quite clear that they probably know what they're doing is wrong, but just not *so* wrong that they shouldn't do it.

See, the issue is that many of these areas are left in the gray part of 'can do or must not do' policies. And worse, I'm willing to bet that 99% of employees have NO IDEA what constitutes proper 'secure' behavior and what constitutes a violation of company policy and thus their employment contract.

Along with continual education, the only other way to make sure that corporate data doesn't leave the network is by using software to track the packets and ensuring they are not sensitive. To do that you'd have to get one of those 'anti leak' DLP software modules (like what Vontu/Symantec does) and establish clear demarcations between acceptable and non-acceptable information leaving the network.

Any practical ideas from readers?