When it comes to fuckups, IT is usually the last guy to get the hot potato, and they’re expected to save the day.
Any time a user screws up, the IT department is EXPECTED to save the day by upper management. If they don’t, it is (rarely) the fault of the employee, it’s the fault of the IT department for not anticipating such a need, or not being available at a second’s notice, or simply not being able to save someone else’s bacon. Often times we’re asked to perform miracles.
It sounds reasonable, until you cross professions. Someone drives off the company driveway, crashes their car into a tree, car bursts into flames. Do the facilities people get in trouble for not ancticipating the employee who leaned over to pick up his cell phone off the floor while driving, and failed to install a nice big inflatable barrier along all the roads? Of course not. Yet IT departments are expected to back up everything known to man and expected to resurrect deleted and/or overwritten files.
Another example – it’s 4:55pm and Fedex comes at 5:00pm to pick up a package that is going to The Big Client. The employee has procrastinated working on it, and goes to print at 4:57pm. There’s something wrong with the printer or their system. Guess whose emergency it becomes? Guess who gets screamed at on the telephone? Guess who gets reamed by the CEO because the package didn’t go out? Usually the IT department. “Why was the printer broken? Why couldn’t you fix it?”…not, “Bob, why did you wait until 5 minutes before your deadline?”
Then there are security breaches due to stupid people. Here’s a way to fix this:
Education and consequences.
Nobody takes security seriously because regular staff thinks that the IT guys are there to clean up the messes when they occur. What they don’t understand is that the IT department is not there to be a janitor or babysitter. The IT department is there to provide the information infrastructure to enable the company and to ensure the company’s information security. That doesn’t necessarily include end users.
My personal philosophy is that end-users should be punished severely for security breaches. Sure the IT department will fix the problem, but the person who clicked on the link (or opened the email) needs to pay a price for their behavior, otherwise they will continue to do it. Nearly every company has an IT AUP. Nearly every company says that you can be disciplined, including termination of employement, for violating the policy. Yet I have never worked at a company where day-to-day infractions (even those with security risks associated with them) were punished. Sure, every once in awhile someone gets fired for surfing porn, or when their misuse of the system affects their ability to work (goofing off online for hours), but who gets fired for forwarding chain letters with flash animations in them? Nobody.
This absolutely has to change. If you had a receptionist who let random strangers in to wander the halls of your building she would be disciplined and probably canned. If you have a receptionist who forwards chain letters, clicks on suspicious links, downloads spyware and causes virus infections, the odds are nothing will happen to her.
Company officers think Information Security means securing the company with a firewall and looking out for hack attempts. They still don’t take Information Security seriously, and until they do, the rank-and-file won’t either.
Education alone is not going to do it. Education that is reinforced with consequences will.