Jeff Bohren works on change management systems for Sunview Software but he still likes to talk about identity management - it must have been all those years he spent at Access360 (before the IBM buyout) helping to craft Directory Services Markup Language (DSML), among other things. He and I don't always agree about identity management issues, but Jeff said something the other day that really resonated with me. In his Identity Blogger blog last week he mentioned a recent lawsuit he'd read in the Law Journal. According to the article: "During the past year, several companies, including AT&T Inc., UnitedHealth Group Inc. and Cigna Corp., have been hit with lawsuits in which employees claimed that they were not paid for the 15- to 30-minute task of booting their computers at the start of each day and logging out at the end." 

Bohren’s point? “…if you are a company that won’t even pay for the time your employees spend booting your PCs, do you really think they are going to care about security policies?”

Think of people you know in your own organizations – or other organizations you’ve been a part of. When they feel slighted, don’t they start “liberating” office supplies – and more? If they feel no compunction in, essentially, stealing directly from their bosses why would they feel the need to protect the company’s assets?

Even more to the point, perhaps – if those employees feel they are being penalized for following good security practices (such as not getting paid for their logging out time) won’t they try to circumvent the onerous tasks?

We should all be familiar with the problems reported at France’s Societe Generale. One of the problems was that the time pressures exerted by the organization compelled the employees to share accounts and passwords in order to more quickly complete trades – the corporate culture, inculcated from the top, overrode the sensible security practices.

The old proverb is that one should not be “penny wise and pound foolish.” That is, you shouldn’t cut corners to save a penny and then allow large expenses (such as data breaches or insider crime) to eat up the profits. Take a look at your own organization. You might have the finest authentication and authorization services that money can buy, but unless the employees are conscientious in using them and unless the organization is encouraging good security (not mandating it, but encouraging it – perhaps even rewarding it) then you might just as well have spent the software licensing fees on a trip to Vegas.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.