There have been some interesting discussions about the economy of security. The expert’s often say that security needs to be the focus of everyone in an organization, from IT to data entry. After all, some of the serious public breaches occurred when proper security procedures were in place, but just not followed.
Which to me brings up the interesting question of exactly why should the rank and file employees go out of their way to do anything about security? For many, there it just doesn’t seem important; because in the end its Other People’s Money to them.
Barring losing their job, does the average Joe really care if their CEO gets called on the carpet because of a high profile breach? Do they really care if down-time causes a loss of productivity in someone else’s department? I was thinking about those questions when I read about employees who are having to sue to get paid for the time they spend booting their computers up in the morning.
I won’t comment on the lawsuit itself, since I don’t know enough about it. But think about this, if you are a company that won’t even pay for the time your employees spend booting your PCs, do you really think they are going to care about security policies?