I ran across two articles today that are strangely related:
Proof: Employees don't care about security
Perimeter defence is not enough
Anyone who has ever worked as a sysadmin knows that the users are often the biggest security risk. User behavior is a lot like how water runs down a hill. The water will follow the path of least resistance. For example, if a user find it easy to hook their music player to their work computer, they will. Corporate policy will probably have little affect on their behavior. It's also unlikely that training will help. Human beings do silly things, even when we know we should not.
The best way to keep people from doing silly thing is to make it impossible for them to do them. This is technically impossible, but it doesn't hurt to try. Sane network design and an operating system with reasonable security are good first steps. Mobile users should not be allowed to connect their laptop to the internal corporate network, but there should also be nothing to fear if they do.
