Slashdot Mirror

← Back to Stories (view on slashdot.org)

IT and Security Professionals Think Normal People Are Just the Worst (zdnet.com)

Posted by msmash on from the we-knew-that-already dept.

Two new studies reaffirm every computer dunce's worst fears: IT professionals blame the employees they're bound to help for their computer problems -- at least when it comes to security. From a report: One, courtesy of SaaS operations management platform BetterCloud, offers grim reading. 91 percent of the 500 IT and security professionals surveyed admitted they feel vulnerable to insider threats. Which only makes one wonder about the supreme (over-)confidence of the other 9 percent.

[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.

5 of 296 comments (clear)

  1. User have been the problem forever by DarkRookie2 · · Score: 5, Insightful

    This is not new news. User have forever been a problem.

    --
    http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
    1. Re:User have been the problem forever by ewibble · · Score: 5, Insightful

      Yes a computer system without users would be very safe but not that useful. But the real problem is that systems themselves allow users do stupid things in the first place or provide no easy alternative. Here is an example:

      I want to download and run an application from the internet, seems like reasonably common thing to do. However how do I know it is safe? Search the internet OK, but there maybe fake sites saying it is safe or it maybe piggybacking on a valid program. Run a virus checker, well OK but it could be virus that isn't picked up by that checker, and the virus checker should run automatically anyway. But you need to run the program so you do.

      What would be nice is option like run un-trusted, which starts a VM automatically and runs that, checks that nothing bad has happened to your computer as well

      I believe the responsibility lies mainly with IT, we should make easy for the user to do what they need to do, we are the experts, we need to take responsibility for it. Yes it is hard and you cannot always fix it but we should always be trying and not just blame it on the user.

    2. Re:User have been the problem forever by Major_Disorder · · Score: 5, Funny

      A few years back I worked for a company that produced a network security device (Not saying who, NDAs are still in place) sticky notes on monitors with passwords on them were everywhere. We sent out multiple requests for them to me removed, and you can guess the result. We eventually got management buy in, and after more warnings, one Saturday we went around the office and removed every sticky note that even remotely resembled a password. After photographing the placement, and placing each note into an envelope, all were removed. I can still hear the echos of the screaming on Monday morning. :)
      The best part is two weeks later we did it again. Several people were found with new sticky notes. (One under the keyboard.) these people were given written notice that they would be terminated if it happened again. One person did not believe them, he was terminated for cause about a month later.
      I really enjoyed removing his accounts. :)

      --
      First law of people: People are generally stupid.
    3. Re:User have been the problem forever by skids · · Score: 5, Insightful

      It ain't the users. It's the products.

      They market themselves as easy to use and then ship with innumerable security holes and deficiencies. Half of them think they are in a living room with everyone in the same broadcast domain and spew exploitable multicast everywhere or want you to punch holes in your network to accommodate them. Cloud services tell users just put you data up here, no mention that they keep getting p0wned by leaving it up in unprotected mongodbs/repos accidentally. CDN-based apps with their thousands of IP addresses all shared by other services make L4 security filers impossible to define. Wifi supplicants and VPN clients which don't have any sane way to install, much less find, a corporate configuration profile that actually locks down the protocol sanely. Unmerited complete trust in DNS results. Self-help support operations that take opaque data dumps including PII, IP, and crypto keys over email to some outsourced support center who knows where.

      So its nearly 2020 and the bright side is you almost never see telnet servers in products anymore. That took decades. In the meantime we are inundated with new attack surface daily.

      90+% of all my problems, many of them security related, are because people want to use product X and product X is a dumpster fire. I don't blame the people for wanting to use it. It's what they were shown in an advertisement, and everyone they know is using it. I blame the manufacturers of product X for shipping crap.

      --
      Someone had to do it.
  2. And conversely... by herve_masson · · Score: 5, Insightful

    ...normal people think IT guys are just the worst, and they're both right from their point of view.
    What a scoop...