More often than not security related stuff gets shelved “for later”

@ths: I agree with what you say, and I applaud your IT department for doing the WPA2 thing.

Oh, and it’s not like we have people refusing to use VPN. It’s just that there is no explicit policy that forces VPN use. If there is a policy, we can enforce it. If there is no policy, we can write it up and suggest it and then the powers that be can either approve it or shelve it pending on how much is it going to cost in implementation, how much training will be required and etc..

More often than not security related stuff gets shelved “for later”. So in other words apathy towards security from up top results in a sense of apathy towards security reforms from IT and general state of complacence.

I still cannot understand why people are allowed to break security policies and come away with it. If the VPN is slow then IT department has an issue to fix it, but accepting the employees to willingly circumvent rules that are there for a reason is not a negotiable solution.
It’s so strange that people consider rules subject to their personal discretion.
And as for the airport WIFI: if it’s not WPA2 I wouldn’t even be able to connect with my company laptop to it, since it’s locked down to only allow WPA2.

@Allan: What do you mean? I figured they would be in the same boat. Bigger ISP’s would offer webmail solutions (eg. Squirelmail). Small and local ISP’s would probably do things the old fashioned way.

I’m not saying POP and SMTP will go away completely. I’m just saying that major ISP’s might phase them out completely and replace them with webmail, and most users won’t even notice. Small ISP’s are a different matter.

uhh..
hmm..
have you ever considered 3rd world countries?

I guess I am part of the happy few who don’t have that kind of problem at all. Everything we do at work is accessible through HTTPS and our company e-mail are sent via IMAP server. For me, it is irrelevant to whether I am at home or at the office…

I remember the big phase when Google began supporting it.
And people were all skeptical about whether or not they could do it.

@Zack – that’s what I believe will happen for a lot of small companies. They will reluctantly switch to exchange to avoid the hassle. And yeah you are right – exhcange will work in a lot of places where regular SMTP wouldn’t. But it too can be firewalled. Gain, I had employees in places where ALL outbound ports were closed and the only way to brows the web was to use the company’s HTTP proxy server.

Unfortunately excel is not always the best solution. Let’s face it – POP+SMTP is essentially free + maintenance cost of the linux boxen that run these services.

Exchange is maintenance + licensing fees + the windows tax. No matter how you cut it, it is more expensive. And it is yet another chain Microsoft can yank whenever they want more money.

I’ve seen some people switch to Zimbra. In fact I know a guy who works at a company that used to offer cheap POP+SMTP and Exchange hosting to small business sector. They are discontinuing the plain POP+SMTP service and replacing it with Zimbra.

I’ve surprised no one has mentioned this at all…but what about organizations using Microsoft Exchange? You mentioned the OWA (Outlook Web Access) but not the Outlook over HTTP/S or Outlook Anywhere (as it’s called in Exch. ’07). My computer uses this and it works amazing, no VPNs needed. My office computer, my home computer, my traveling laptop, and my WM based phone are all sync’d up together. Granted this may not be AS secure as a VPN, but it works through the HTTPS protocol, so you don’t have issues with ports being blocked and you have a secure connection as well. It’s essentially using Outlook Web Access through Outlook (if that makes sense). This solution is used by many companies that I work for.

Yes, the real world of corporate IT policy, IT use and working reality is far richer and more complex than it appears from outside. And it’s often more complex than it appears from the point of view of the IT policy makers on the inside. IT may make policies regarding how data are protected and how email is sent, etc., but employees, especially field employees, have to get their jobs done. It’s not uncommon to look at the VPN logs to find that the only time a field employee used it was when he or she was being given the training on how to use it. Out in the field, they have to find other ways to do their jobs.

One of Loa’s customers put it to me this way recently (I’ve edited a bit to protect his identity)

I work virtually (I live in [one city] and my company is in [another]). … I do not like being logged into the vpn all day because it slows my computer down, and attachments are painfully slow. I would like to use Outlook, though, vs. web mail because of its extra features.

That’s just one example of what I mean by the rich and complex reality that people face in their working lives. It means that unless the IT policy is built on the right tools, important email that has to go to customers now when the sales person is in the airport lounge is sent via an airport WIFI connection in clear text and originates from bigdaddy69@hotmail.com, or stored on a Google server somewhere being mined by Google’s software, all because the VPN didn’t work from behind that particular firewall. When confronted with this breach of IT policy, the sales department’s (correct) response is “Did we want the order or not? And if the answer is that we didn’t want the order, are you going to pay my missed commission?”) Meanwwhile, the CIO and the CEO are signing off statements to regulators warranting that the company’s intellectual property was appropriately protected at all tiimes during the preceding quarter.