When you don’t educate your users…
I work at a partnership instead of a corporation, which has its pros and cons. One of the cons is the power the partners have over the local IT departments. For example, we have HIPS software on our laptops and all of the partners have laptops. However, when the HIPS software attempts to interact with some partners, they come down hard on the local IT departments to ‘fix it.’
What’s happened is in one particular office the IT director is scared shitless for his job and because of that he’s become the ‘yes man’ for the partners. What ever whim they have he does everything he can to entertain. For example, when the HIPS software prompts the user with a question, the partner calls the IT department demanding that it be fixed and the IT director pees himself like a little yip-yip dog happy to see his abusive owner come home. What the director should do is explain to the partner that HIPS software is not an exact science and needs some thinking done for it. Otherwise, by removing all user interaction, the number of legitimate actions being blocked will increase and the effectiveness of the software diminishes.
The situation was created mainly because we weren’t allowed to train the partners on the software because they’re just too busy. They were never told what to expect from the software, how to react to alerts, or even what safe computing means. Every time there’s a HIPS alert we’ve indirectly trained the partners that it’s malfunctioning and needs more tuning.
The recovery from the problem has to be a slow process of re-education. It needs to be explained to the partners that just because the HIPS software is alerting them to something doesn’t necessarily mean it is malfunctioning. It could indeed mean that there’s a threat to their laptop that the HIPS is protecting them from. They need to be taught how to protect their data and how to leverage the HIPS software to do so.
The challenge is to figure out how to do this for type “A” personalities who really don’t have much time to sit down and listen to a boring discussion about laptop security while they could be off making money.
Michael,
I completely sympathize with you on this. I’m in a similar situation at work where the CIO has the attitude of the IT Manger mentioned. When an Exec barks he jumps and has the rest of us doing the same. It’s really kind of sad to see.
By Andy ITGuy on 04.30.07 11:38 am
And yet again the users are the issue. More than that it sounds like your boss is the issue. HIPS tuning is very customized to individual users, and as long as the users aren’t expected to tune their own security systems then they’ll always have poorly tuned systems. Sounds like you really need Cisco’s new Backbone for Managers. Great product I’ve heard.
By Scott J. Roberts on 04.30.07 11:50 am
That’s exactly what we need, but only if it comes with the new Smartcard decision-making module.
By Michael on 04.30.07 11:56 am
Two things.
1) I dislike that exec-level mentality that someone else will do things for them or they are too important to bother with some things like training. Some of these guys have the most important computers and data in the company, but they typically have the least security (usually self-induced). Props to any exec-level person who admits they don’t know best judgements all the time but do realize they have some pretty important goods in their email store.
2) I wish I had a solution to this, but I really do not like the alert-based security of things like personal firewalls and HIPS. Those features for alerts are for: a) people who know how to read them and b) consumers who make decisions. I don’t really want my execs making decisions on an alert-based protection on a laptop. It should be answered for them for the most part.
Of course, not every product will do that, and like you mention, that means you will either have too loose or too tight a security stance unless you’re amazingly lucky. :\
By LonerVamp on 04.30.07 3:34 pm
Yep. Your second point is an excellent one. Alerts ARE for people who know how to read them and its something that has troubled me for the last few months. That is, does the user really know how to react to a given query?
That’s why I’ve tried to keep the queries as clear and concise as possible. Like ‘are you installing software?’
By Michael on 05.03.07 3:54 pm