Users Aren't the Enemy - They're Your First Line of Defense

Users Aren't the Enemy - They're Your First Line of Defense

·

12 min read

In IT, security is always at the back of your mind, ceaselessly reminding you how easily everything you've built can come crashing down around you. And if you don't feel this way, there's nothing like a company-wide incident to bring security sharply into focus. Info security in a large corporate environment is a diffuse thing, where audits attempt to determine levels of risk that can be accepted or mitigated, and "why do I care when there's a whole department dedicated to worrying about that stuff", right? As solo admins, we don't have the luxury of offloading security on to someone else's plate; it's a front-and-center responsibility that ranks right up there with making payroll and keeping the lights on. In a large corporation, it would take one hell of a security incident to bring the whole organization down, which is not to say that it can't happen, only that in terms of risk, total organizational compromise ranks fairly low in the hierarchy. For small and medium-sized businesses, a single incident - ransomware, server compromise, data thefts and leaks, etc. - could very well be a knockout blow from which the organization never recovers (this article from Inc. magazine provides some perspective). In today's fraught environment for the solo admin, a little piece of mind goes a long way, but piece of mind can be expensive and may not be in the budget this year. In this post, I'm going to talk about what I believe is one of the best uses of the limited resources we have available - educating and building a rapport with your users.

First, an aside - very early in my career in the late 90's, I worked on the internal employee help desk for Southwestern Bell (SBC) in St. Louis, before they became AT&T again. Some of the users were getting computers for the first time in their career and called in with the absolute simplest of problems - the "plug it in, turn it on" variety. My team - mostly guys in their early to late 20's - had a grand old time laughing at 30-year veteran lineman who didn't know where the power button was. One day my boss Lloyd (a 30-year veteran himself) countered one of my comments by asking how easily I would be able to hop in a phone company truck, climb a pole, and fix a citywide outage. Or take my self-assured ass down to the accounting department and knock out payroll for 50,000 employees, for that matter. My 19 year old self immediately got his point; all of the users we supported had their areas of specialty and they shouldn't be expected to understand my job any more than I was expected to understand theirs. I've repeated that anecdote to coworkers and subordinates many times over the years because I think it's an important lesson - our end users, for the most part, aren't IT experts and we shouldn't expect them to be (in fact, the ones who think they are can be the most dangerous). That's what we're here for! That doesn't mean they're not going to do stupid things at times, but one of your goals as an admin should be to prepare for the worst while hoping for the best. I honestly believe that having a strong working relationship with your users is one of the single most important security controls you can implement and with that in mind, here are some tips I've learned to help build and maintain that relationship.

User Relationship Tip 1 - Open Door Policy

On my first day at my current job, I visited all 35 employees to introduce myself and emphasize the fact that my door was always open. I wanted them to know that I don't consider any question to be dumb or not worth asking. I also let them know that I considered them to be our first line of defense against ransomware, viruses, and all around bad shit and that I took all of those things very seriously. I made it clear that I wanted them to report anything suspicious to me so I could investigate. I've also made myself available if they had questions regarding their home setups too. That doesn't mean that they all get free PC support (I've had to draw that line a few times), but since my employer doesn't provide home equipment for every user I genuinely need to know what kind of equipment my users are running at home and what types of issues they're running in to if and when they're accessing work stuff. Especially during Covid, many of my users needed to work from home and I had to make do with what they had. That also doesn't mean that I'll allow any random home equipment to connect to our VPN, as I'll discuss later, but even if they weren't doing work stuff from home, I didn't want them to be running virus-infected computers if for no other reason than for the good of the Internet at large. Plus, I wanted to get them in the habit of paying attention to what's happening on their computers so they'll notice when something is different. That can be the difference between stopping an infection at a single PC versus cleaning up your entire office. Finally, I tried to be as accessible as possible. If you're not a people person, work on becoming one. I've had users stop by my office to inquire about cryptocurrency, let me know they're now running a Helium mining hot spot, get my thoughts on what type of computer they should get for their kids going to college, and all sorts of tech-related stuff. By letting them know that I'm not the unapproachable "IT guru on the hill" that some admins turn themselves into, I've been able to be proactive about all kinds of problems - not just security related - because a user thought it was important enough to mention to me. That won't happen if they're afraid to enter your office.

User Relationship Tip 2 - Educate, Train, Reinforce

My dad tells a story about when he was asked to teach an adult Continuing Education college course in the late 80's on computer basics. At that point in the late 80's the computer revolution was just beginning to transform many occupations. This was before user friendliness, in the days of the command line and the floppy disk, and many of the folks attending his class looked at computers with a mixture of suspicion and trepidation. They were watching their jobs being taken over by a technology they barely understood and some of them were nervous and even hostile. The first night of class, my dad had everyone come up to the front of the class where he had a computer (at the time, very likely a shiny IBM XT) on a desk where all the attendees could walk 360° around it and see how the components attached. He explained to them what each component did, and after everyone had a chance to look, they returned to their desks, each of which was equipped with a computer, powered off. Lesson 1 that night was - very simply - "power it on". His goal was to take the "mystery" out of it by showing his students that while it was a complex machine, it was just a machine (insert car repair analogy here). By doing those simple exercises, he reduced his students' anxiety and made them much more receptive to learning.

Fast forward to the present and anyone who's worked in a business environment knows at least the basics of how to operate a computer. However, I'm continually amazed that even most high school and college age students have no clue how a computer actually functions - meaning, what's inside and what each part does. By the same token, you'll find that most of your users have almost no understanding of how email works, why ransomware is a threat, or why one web browser is any better worse than another (or most likely, even what a web browser IS). It's absolutely imperative that you train your users. I've implemented an annual security training program that all users are required to attend and I supplement that training throughout the year by sending out short emails addressing threats that they may have heard about on the news or that I've been asked about. But in each year's class - much like the beginning of the school year for teenagers - I always reinforce the basics. I try not to go too far into the weeds, but I will pick one or two current threats or current news stories (ransomware has dominated for the last few years) and sprinkle them throughout the serious stuff: how to identify spam/phishing emails, how to pick secure passwords and store them in KeePassXC, how to spot bad/malicious web content, and what to do when something fishy happens on their computer (UNPLUG!). And the most important rule of all - report any suspicious occurrence to me. I try to keep the class to an hour with questions at the end and I've managed to get even the most meeting-averse users to pay attention. Bottom line: educate your users and train them by reinforcing that education throughout the year (especially informally through emails).

User Relationship Tip 3 - Don't Be a Babysitter

For most people (myself included), it feels very creepy to spy on your coworkers. Prior to this wonderful new era where remote work is common, small businesses tended to fall on one side of the fence or the other without a lot of gray area in the middle. Either everyone is in the office all the time or everyone works somewhere else (and maybe there isn't a physical office). My boss is old school - if you're not in the office, you're not working. When Covid hit, it upended this relationship. We were limited to 10 people or less in the office for long stretches at a time. People had to quarantine when they weren't sick. My boss and I discussed the situation and I explained it to him exactly as I'm explaining it here - don't be a babysitter. We settled on generating some activity reports from our internal project management application and a couple of Exchange 365 activity reports. Obviously not enough to track a person's every move when they're working at home, but enough so that you could tell if a person had generated any activity on a given day.

There are a few reasons why this tip is so important:

  • All that goodwill relationship building you've put in with your users will be worthless if they feel that you're spying on them. The old "just following orders" chestnut won't help you much when an "us versus them" mentality takes hold.
  • Trust plays a big role in any relationship - I'm asking my users to be my eyes and ears and report back to me when they see suspicious activity. No one's going to do that if they feel you're looking at them suspiciously.
  • Especially in small businesses, when a user isn't doing their job, it becomes obvious pretty quickly. We're trusting our managers to manage their staff, and we're also expecting them to trust their subordinates. If someone is at home and they step away from their computer for a few minutes, how is that any different than a user getting up from their desk to chat with a coworker, get a cup of coffee, etc., in the office? It's not any different and we should acknowledge that.
  • In the United States we already work too much. This is one example, but there are many other polls and studies showing that we work more hours from home, not less. Additionally, we're now invading our users' private lives more than ever. Cory Doctorow has a fantastic article on his blog about how surveillance in the guise of "productivity monitoring" has invaded our homes. This needs to be drastically scaled back.
  • Finally, people are resourceful. If you go too far with the monitoring and blocking, your users will begin to develop ways to bypass your controls. I would much rather my users browse Facebook on their lunch break on a system I have complete control over than to try and find ways to defeat that control. There's absolutely no need for an adversarial relationship with your users.

All that being said, this doesn't mean we're going to operate like the wild west. I monitor all traffic pretty extensively, my users' computers are locked down, and I aggressively block spam, executable attachments, and other types of malware before it gets to my users. Which leads me to tip #4....

User Relationship Tip 4 - Guide Behavior with Controls

After reading the previous tip you might be asking whether I'm advocating for a free-reins environment and that's absolutely not the case! I'm hoping that if you're reading this post you have the sentience to distinguish between technical controls and outright surveillance, but if not, here's the guide that I would use: whenever you're considering a new monitoring system or additional product to enforce corporate policy, ask yourself if you're comfortable with it being done to you. If it makes you uncomfortable it will make your users uncomfortable too. As a general rule of thumb, avoid any app that requires a user to be recorded - video, audio, keystrokes. That's creepy. Your controls should be as unobtrusive as possible. We use the wonderful Barracuda Spam Firewall for email filtering and I've been very happy with it. By default, you should block ALL file types and only allow the ones you think you'll use - PDF, DOC/DOCX, XLSX, PNG/JPG/BMP, etc. You'll find that there's generally a small list of extensions that are legitimate. We also spam filter pretty aggressively and I've trained my users how to add exceptions in Barracuda and/or request an addition to the global whitelist. At implementation we had quite a few adds all at once but now I add about 2 - 3 exceptions per month. I control our desktops and laptops with Group Policy and a hardening script that's part of our standard build. Finally, my firewall allows ports 80 and 443 out from the user IP block along with a couple of exceptions. All other outbound traffic is blocked. When my users connect to our VPN, I route all their outbound traffic through my firewall so I can monitor it. If you're serious about security, your posture should always, always, always start with "default deny" and go from there. Outside of those controls, I don't feel the need to spy on my users or log their keystrokes because I'm not the morality police and I could never hope to wade through all that data in the first place. I've taken intentional steps to limit the damage that could be done if something nefarious were to slip through and I choose to spend the rest of my time making sure that I could completely recover from a disaster - whether physical or digital - when it happens (not if).

Which leads me to the final tip....

User Relationship Tip 5 - Don't Be a Dick

This is good advice for your personal life too. It's 2022. There are hundreds of thousands of IT people in the world and you're not any more special or entitled than any of the rest of us. I exchanged emails with a PE-certified engineer this week who worked on components of the Apollo spacecraft. Unless you're THAT cool, keep it to yourself. I do my best to be humble and genuinely friendly to everyone I work with because they're my 2nd family. Your office may not be like that but there's no reason for snooty hostility either. In IT our main purpose should be to keep the business's technological parts and pieces running smoothly, utilize that same technology to improve productivity, and solve whatever problems our users and customers may encounter.