Our end-user friends need an upgrade
“And here comes Technology, screaming ahead of the pack! Seems like no one can keep up with her, Bob.”
“I know what you mean, Jim. We’ve got Sys Admin trailing behind, trying to keep up. She sure does her best.”
“And then there’s End User. Way back there! Leaning up against a tree, smoking a cigarette. That guy really doesn’t know just how far behind he is, does he, Bob?”
“He sure doesn’t, Jim.”
For those of you that have been in IT since before it was called IT, you possibly remember the people that would say something like, “Yeah, I know just enough to be dangerous,” and then laugh. Because it was so funny when they broke things due to overconfidence. Problems that you had to fix.
One of our biggest challenges in technology management is born from this type of person still existing, combined with the fact that s/he is in a new, changed world—a much more dangerous one. A world where individuals and organizations alike are losing money, time, integrity. Under-education of users, careless computer usage, and lack of leadership to improve these things is resulting in far worse consequences than an eye roll from your company’s computer guy. Does your organization hold data that includes the names and addresses of children? Mine does. Being dangerous with the computer is not funny anymore.
For just a moment, I’m going to skip the part about the personal information of you and your loved ones being at risk. Let’s touch on financial risk. On October 21st, 2016, a double whammy DDoS attack brought down the internet for most of the East Coast. A botnet was engineered to take advantage of vulnerabilities in tens of millions of IoT devices. If we wanted to lay blame, some might point a finger at the assailants, stating that the attack was immensely complex. We might also consider the premiere victim, DNS services, and contemplate what could have been done on that end to avoid the attack.
If you research this event, one thing you may come across is blame upon the difficulty of changing default passwords. That is one useful perspective: don’t assume the skill level of end users. No argument from me there. But I’d like to present another angle that I believe to be equally legitimate and useful. If you never put the crutch away, you will always need the crutch. Largely, common users of technology have not been “taught to fish”. Those IoT devices can have the most robust, in-your-face, Credential Change Me mechanism ever, but the world is still wandering on dangerous ground when individuals don’t take charge of their own safety.
It’s hard to say what the economic damages were from the 2016 outage, but global damages were estimated at over $5 billion from just ransomware in 2017.
Here’s a recent bit from 60 Minutes on ransomware.
“Well, Jim, we can’t just walk onto the track and tell End User he’s in a race, can we?”
No, Bob. It wouldn’t be appropriate, or realistic, for me to go deeply into anthropological and psychological science. However, culture wasn’t created in college. Change starts with thinking outside the box, and is deployed when charismatic folk take action. We are leaders within our organizations, and have the potential to affect that culture. It doesn’t start with a mass email that will be deleted by 90% of recipients. And, no, it doesn’t start with a newsletter article, either. It starts with talking. Chatting with your users on their level. Discussing things they understand, like how there are sick people in this world that we don’t want acquiring personal information, especially that of our youth.
On the subject of training and communication, it’s important to remember that this “user’s level” I’m speaking of is not “lower”. Just different. In many cases, the end user truly doesn’t know they’re in that race. And often when we try to tell them how to keep up—to take precautions and self-educate—they think we’re paranoid, or that we should put them in a cart and push them down the track. The real challenge is showing people that information technology is not a thing that should always and forever be used by many and fixed by few, and that using devices should be as simple as pushing the buttons and waiting for it to do what is desired. We’re not doing users any favors by being the company computer guy, telling the person to “Move!”, then rebooting for them. If someone is hired to drive a car, and then say, “Oh, I’m not very good at this,” and expect someone to drive it for them, the employer will wonder why they applied for the job in the first place; if the employer is kind, they attempt some training. The personal computer is not new technology anymore. It’s been at large for over 30 years.
With both IoT and malicious internet activity accelerating, one of the most important upgrades we should be thinking about is an upgrade to the culture of technology usage. Let’s stop holding hands and walking people down the path, and start showing them the path. Show them the world they live in.
Take part in this conversation and many more at the 2019 Mountain Technology Symposium at Jay Peak, VT. October 2nd through the 4th.