Who is Responsible?

Take the case of a recent network infection we assisted in cleaning up.  An employee clicked on a link in an email from a friend (not work associate) that was a video of some celebrity.  This lead to a file download and a trojan our company had to clear up.  So who’s fault was this? The Business – Maybe they should have spent more money to put in better protections to prevent this?  Business is liable after all for what happens on its company owned equipment.  They are also responsible to protect employee and client information.  But that requires people to be held accountable and when they don’t follow the rules they should be terminated.

The IT Department – Maybe they should have trained people better or configured something to prevent this?  IT is responsible for the security on the network.  This requires the business to spend the appropriate amount of money on technology and training.  It also requires employees to participate in training classes.  IT has to clean up the mess at a cost to the business so someone should be held accountable here too.

The Employee – Maybe she should be responsible for her actions and for doing this on company time?  I find it rare that HR actually holds employees accountable for actions that violate company policy.  It is my observation that many organizations have strict practices outlined in their employee manual but rarely enforce them.  Employees often think they are a joke.  They never receive training from the IT department because it is not a priority for the business.

The Government – Maybe they should step in and oversee all of our security needs as businesses and individuals.  It would just be better that way, right?  Trust our governments, who never get hacked, into protecting all of us.  Maybe we should also give them our admin passwords so they can login whenever necessary, would that be okay with you?  Why stop their, software manufacturers could build in backdoors so the government always has access to everything on our network.  That way they can step in if individuals drop the ball.