IT enemy No. 3: The Power User
Every IT pro has stories about plebes who suck the lifeblood from the help desk with questions about their PC's "any" key. But the real threat is posed by users who know just enough to be dangerous.
"For me the biggest enemy is not the clueless user, but the clued-in user who doesn't have the whole picture," says Kevin Thompson, information security manager for Minnesota State University at Mankato. "This is the guy that thinks he is helping by running pre-release software he downloaded from BitTorrent. This guy has all the passwords of the other users in his office and acts as the unappointed first line of technical support. Instead, he frequently breaks things."
Not only do Power Users cause support and management headaches, they can be walking, talking security nightmares, says The Security Consortium's Mark Kadrich.
"They're usually engineering types or Ph.D.s who firmly believe they know more about the computer and network than you do," he says. "They insist on having admin/root access so they can 'configure' their custom applications or memory, and believe firewalls are for the unwashed masses. They're 'savvy' and can outwit any hacker on the planet. Besides, they 'don't have anything that a hacker would want,' so why should they worry? Their naiveté borders on the criminal."
Recognizing the enemy: They might be wearing Armani or T-shirts and flip-flops, but they're carrying a jailbroken iPhone in one hand, a Palm Pre in the other, and two laptops in their bag. Also: Anyone with a "Dr." in his or her title.
Your best defense: PsychOps. The only way to get a Power User's attention is to scare the hell out of them, then gradually bring them over to your side, says Kadrich. The exact approach depends on the position they hold in the corporate ranks.
"Executives don't give a damn about security, but they do care about their brand," he says. "You tell them, 'What you just did caused a huge number of emails to go out proving how screwed up our brand is.' That generally gets their attention."
For lesser tribe members, Kadrich makes the threat personal. Thanks to the Power Users' meathead behavior, their personal financial information has been compromised; now they have to call their bank and cancel all their accounts.
The second prong of attack? Training and awareness. Low-key regular luncheon sessions talking about the latest security breaches is the most effective way to alter people's behavior, he adds.
"You want to make the people in your organization security ambassadors," he says. "Taking the enemies of IT and converting them into true believers is the best approach."