IT and Security Professionals Think Normal People Are Just the Worst

Two new studies reaffirm every computer dunce's worst fears: IT professionals blame the employees they're bound to help for their computer problems -- at least when it comes to security. From a report: One, courtesy of SaaS operations management platform BetterCloud, offers grim reading. 91 percent of the 500 IT and security professionals surveyed admitted they feel vulnerable to insider threats. Which only makes one wonder about the supreme (over-)confidence of the other 9 percent.

[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.

Re:We've forced our workforce to use advanced...

[hublan]

This needs to be voted up to the heavens, where it can shine above the insular heels that come up with corporate password policies.

Has it ever occurred to them that all those cracked-out, contradictory password requirements actually reduce entropy rather than the other way around? You can't come up with policies based on how you'd like people to act, you have to come up with policies based on how they do act.

Look in the mirror, what do you see?

[az-saguaro]

No matter what profession each of us is in, I am certain that we all have stories about "stupid users". They surely do exist. But there is a flip side to this story.

Many "stupid users' are not stupid at their jobs or life in general. They just do not cooperate well with the paradigms of computing and technology they are handed to them by "the industry". The makers of the technology are quite savvy about such things. But, they might forget that not everyone is so, or be dismissive of ordinary smart (or dumb) people who are not as learned about those things as the manufacturers and technical folk are. Those people decrying the IT "stupid user" are likely to be the butt of jokes about how dumbass they are when it comes to accounting their taxes or fixing their car or managing their own diabetes.

If there are too many stupid users, perhaps it is not the users. Perhaps the technologists who make techno products ought to produce better devices and software and computing paradigms that place greater emphasis on user interface, usability, human factors engineering, ergonomics, and just plain wtf common sense. It seems to me that too many IT people are so wrapped up in the technology and their own familiarity with it that they are suffocating from a lack of reality and some sympathy to how their mom or grandma might use the technologies they are making or managing. Turn your propeller head beanies upside down and air out some of the supercilious cobwebs in your IT skulls.

Re:User have been the problem forever

What I hate as a sysadmin is when I do wander from dark, trance music-filled office, I get ambushed by people wanting everything. I'm sorry, I cannot and will not teach you how to format a Word document. It's your tool, learn how to use it. Ditto Excel formulas, wanting me to troubleshoot your email on your phone (I will not touch personal devices), and it goes on and on and on. I hate dealing with end users. Just let me write my code on my servers and leave me be. It's not my job to educate you on how to use the tools you were hired to use. Watch a YouTube video on Excel formulas; you'll get further along with that than with me.

Re: where's the lie?

Just print out and laminate individual password cards. 12 columns and 6 rows fits easily on a CC sized card. Users can stick them in their wallet. Make a bunch of different ones and let the users pick a card, any card, so yiu don't even know it.

Need a password? Pick a starting point and go right/left/up/down, or Fibonacci it if you want to make your life difficult. If you force password changes, have them go down a row and follow the same pattern if they want.

It's a really cheap, effective and simple solution. Even physical access isnt a complete failure like with a postit, because the actual password has 72 starting points, 8 bits of directionality times ten plus characters.

Re:User have been the problem forever

[Major_Disorder]

Did you advise the client that their password policy may be too onerous?

For those who would respond with "Just use a password manager!!!!" you've just violated the policy since all those systems now have one password. Also, little hard to use a password manager for initial login in areas that forbid any outside electronics.

Nope, because their password policy was fairly lenient for a company with a security focus.
We allowed and encouraged people to use password managers. I personally offered training sessions on a number of diffrent password managers. (Almost no takers.)
If they had written down their login password and stuck it in their wallet we would have had no problem with that. We were really going after the lowest of the low hanging fruit.