I was having an interesting conversation tonight on Twitter with Rafal Los about OSes and security. Rafal was talking about the difference between home users and enterprise users and the fact that maybe we needed two different OSes, one for work and one for home. His thoughts on it were very interesting but I ended up disagreeing with him. I boiled it all down to a very simple statement, “There’s no difference between your Mom and the 2nd floor admin.
We spend a lot of time in the enterprise developing solutions and working hard to make sure that our solutions are secure. We talk about security controls in hardware, OSes and software that we can utilize to secure the work we are doing on them. We do our best to make sure malware and viruses stay off of them and we encourage our users to be careful when they receive mail with attachments or when they are on the Internet. It’s a valiant effort, which almost always fails, but it just leads those in security to try harder and developer software to protect us even better.
At the same time, we have all those home machines out there. You know the ones, you helped set up Mom and Dad’s new computer. You made sure you put anti-virus software on it, you set up a malware blocker, you probably even made an image of the drive so that when they inevitably called you it would be easier to fix. You may have even installed remote software on the machine so that you could help them if they had a problem. Let’s be serious though, help them if they had a problem, it really is only a question of when. It got so bad in my family that my wife bought me a t-shirt that said “No, I will not fix your computer” that I had to wear every time we visited my parents or my brother for 5 visits in a row.
It’s no different than the help desk technician that has to go down to the 2nd floor admins desk and fix their computer every now and then because it became infected. It could have been through email or the Internet, but it also might have been that USB drive that brought in with their grandkids pictures that they wanted to turn into the work screensaver. It’s never a question of if but rather when you will have to go fix it, and depending on whom they are an admin for, how quickly you need to get it done.
The problem is we believe that these two people are fundamentally different, your mother and the 2nd floor admin and we sometimes forget that they may be the same person. We think that because we have these security people who try and take advantage of the security controls built in, or who create new ones to use, that we can protect these systems.
Fundamentally this just doesn’t work. It has actually gotten worse because of the consumerization that has gone on in the home that gets brought back to work. What we like to refer to as the Consumerization of IT (CoIT) is really the ‘ITization’ of the consumer, where they are now learning how to take care of their own problems and becoming their own IT. They may have faster Internet at home, they certainly have as good or better computers than the enterprise provides and let’s not forget that they do more with their computers now. They watch movies on them, access Twitter and Facebook, do their grocery and holiday shopping online and oh yeah, they do email too. They know a lot more about technology than they did 5 years ago. You can no longer bullshit your end users.
When these same people walk into work, they want to know why they can’t get to all the same resources that they can get to at home. Why, when they take a break from work, that they can’t browse their Facebook page or shop for that item they needed. They may just want to check little Johnny’s or Susie’s grades on the online school portal. They also know that if you decide to block that stuff that they can just take out their phone and do it, or even better, set up an access point from their phone that they wireless connect their computer to since that gives them a bigger screen.
There’s a lot that the enterprise can do to educate people, on everything from policy to just basic Internet skills. They can lock down desktops, network connections, and put intrusion protection into place. The one thing that enterprise has to remember is that they are dealing with one person, that mother who is the admin on the 2nd floor. They have to remember that complexity makes people tune out and they have to make sure that their message and methods can be easily understood because they are simple and straightforward.
The truth is, “No, I am not going to fix your computer” because my Mom is the admin on the 2nd floor.