Personal Responsibility at the Desktop
“Who’s the nincompoop that clicked on the malware that kicked this catastrophe off?”
Virus and malware outbreaks typically cause us to revisit our usage of Windows local administrative rights. In a nutshell, local admin rights serve double duty as a requirement for certain, critical applications as well as the scourge of IT Support.
One approach to keep malware from attacking a device is to “lock it down”, that is, to remove local admin rights so that the user can’t install anything on it. This approach has its advantages because it protects users from the negative consequences of their own actions. This is similar to web filtering where we keep users away from harmful sites. Standard tools in the IT Security arsenal, right?
The problem I have with employing blocking technologies as the sole deterent is that we do two things:
1) We imply a lack of trust whereby we further are viewed as “big brother”.
2) We create a nanny security environment where users assume no responsibility for their actions (for what they click on).
While blocking technologies are important and necessary, I strongly believe we need to cultivate another, farther-reaching approach: personal responsibility and consequences. Before you call me naïve, consider this: Is it better to instruct our teenagers about the dangers of alcohol consumption or should we prominently lock the liquor cabinet and call it a day? Clearly the healthier and more sustainable answer is the former. (Having said that, there are certainly times when we may have to resort to the latter!)
I propose educating users on what they can and cannot install. We don’t want them installing games and we don’t need them to help us update their virus scanners. In fact, we don’t want them to install anything without the consent of the Service Desk. If, after this simple education, a user decides to install something, we will impose simple consequences. If it takes 30 minutes for a technician to remove Google Earth, then the user will forfeit 30 minutes from their paid-time-off (PTO) account. If they click on something that requires a 2-hour reimaging and reconfiguration of their device, they forfeit 2 hours from their PTO account.
In essence, we need to employ a two-prong approach: blocking technologies AND user responsibility and consquences.
In Jurassic Park, John Hammond tells Dennis Nedry that he doesn’t blame people for their mistakes, but he does ask that they pay for them. I agree and believe that this stance would vastly cut down on the number of illicit software installations, with blocking technologies providing the final cover.