IT pros should not have to support users who lack basic IT skills. A bold statement, I know. But when network users display a complete absence of IT soft skills and common sense, even as security breaches become almost commonplace, they leave us with no choice.
Now, before you object, let me explain. When I say soft skills, I'm not talking about Java, C++, Python or any other programming language. Soft skills in this instance equate to basic PC skills and security awareness, not IT-level knowledge.
When hackers can successfully exploit a company's defenses by using widely publicized techniques such as email attachments, web links and social engineering, there is clearly a problem. But who is at fault? The user or the IT team? Does it even matter?
Let's discuss a few common issues while I demonstrate why sysadmins need to take a stand against computer-illiterate users who require more than their fair share of IT support. The following observations are sure to cause controversy, but quite frankly, enough is enough; and I'm sure many IT pros feel the same way.
Related Article: Extinguishing Network Fires at Klein Steel
The Blame Game
Network users are not all created equal. They range from the highly skilled to those approaching a vegetative state, where "turn it off and on again" is not just an option but a complete way of life. Unfortunately, IT is left to assume all the responsibility for repairing the damage when users make mistakes. But, according to Fortune, in many cases, not the blame.
"IT teams can help eliminate human error by accepting responsibility themselves when things go bad and looking for a solution, rather than putting the blame on the users," observes Abdul Jaludi, CEO at TAG-MC, a Milford, Pennsylvania-based provider of business technology optimization solutions.
In most cases, IT pros realize that it's their responsibility to solve the problem and are generally firm advocates of work-based training in basic PC skills and security awareness. IT teams should certainly support users and train them. However, if users make the same rudimentary errors over and over again, should that still be the case? The IT role has expanded considerably and user support is now only a small percentage of sysadmins' duties. If user support dominates, essential business functions could be neglected or ignored completely.
"If the IT pro's role is expanding, they need to implement tools, controls and processes so that each employee, from the CEO to the newly hired data-entry clerk, is able to perform their core function without having to ask which email they shouldn't open or which website to avoid," says Jaludi. "Sometimes training is not the answer. When employees are trained to perform certain IT tasks and problems persist, then it is IT's responsibility to find an alternate solution."
"The [ideal] solution should be a combination of tools, automation and training," Jaludi adds.
It's Not a Perfect World, After All
In a perfect world, all company employees, from executives to entry-level staff, would follow IT security guidelines. But how many IT pros are prepared to point out the failings of senior executives? Some C-level execs are the same self-proclaimed "big-picture thinkers" who still regard IT as solely a support function, rather than an essential core business asset. CEOs and other senior executives should lead by example and attend training sessions themselves, thereby promoting a culture of security awareness throughout the company. That is the big picture needed to ensure modern business continuity.
All users, regardless of salary or activity, need to make sure that their carelessness does not disrupt company activities. When a security breach occurs — and it will — then at least it won't be because Gavin from HR used his work email to claim his foreign lottery winnings or accept his inheritance from a distant, unknown relative.
In many cases, training can be helpful. But when initial training fails for some users, and they still require excessive levels of support, what then?
Common Sense Is Not So Common
Don't give up yet. Use glove puppets to drive the point home to stubborn users. Perhaps create a list of questions that they should mentally ask themselves before clicking on links or email attachments. These could include but are not limited to:
- Is the email work-related? If not, instruct users to view it on their personal device when they are not connected to the company network.
- Is the email from an unknown person or is it unrelated to a specific company project or transaction? "Telling users not to click on attachments from people they don't know will not work for the finance department, which receives hundreds of invoices from people they don't know," advises Jaludi.
- Does a response require me to provide information that will compromise my privacy or share company details I am not authorized to divulge? Does the email offer the possibility of a surprising reward, whether from an unknown foreign relative, bank or lottery?
IT Strikes Back
IT pros are unlikely to fall victim to common scams and are quick to identify suspect communications, phishing and ransomware. If in doubt, we can check the properties of email message headers or identify the common attachment sizes for installers or keyloggers. The details of such interventions are usually beyond users, even those with basic soft skills.
Related Article: IT Security Awareness Training: Tips for a More Effective Strategy
The next time you have a "Why me?" moment when a user who lacks basic IT soft skills is unwittingly creating more than his or her fair share of support incidents, or just being a bit of a tool, as we say in Ireland, consider your options. In this writer's opinion, there are several:
- Sigh and start fixing the issue.
- Berate the user for incompetence. Just kidding. While this may be tempting, it's never recommended. Companies have processes to deal with disputes — that's what HR and department managers are for. Argue with them instead, but only in cases where the user is creating a long list of support issues. Then solve the problem at a user level by providing additional training, adding admin controls or automating tasks.
- Point out to IT decision makers that user support is placing increasing demands on IT resources, despite training and other controls. When paid overtime is necessary to ensure business continuity, the powers that be are more than willing to get involved.
In most situations, option one is the default. For repeat offenders, combine options one and three. Unfortunately, option two is never a viable choice for IT pros, but when you enlist HR and department heads to address user incompetence, it usually leads to option three.
It Takes a Village (to Raise a User With IT Soft Skills)
Basic PC literacy and common sense are expected in a modern office environment. There is no real excuse for ongoing human errors from the same users. But, short of assigning a sysadmin to each staff member and having them stand behind their designated user to monitor their activity, how can we prevent basic errors?
The simple answer is we can't, but we can cooperatively try to reduce them. We make users' tasks easier and some consideration would be nice, rather than the I-screwed-up-but-fixing-it-is-your-job-so-hop-to-it attitude that many users adopt. Sure, fixing problems is part of our skill set, but dealing with the same BS from the same people on a daily basis is not acceptable, regardless of how funny users think it is to have the geeks scrambling to resolve their incompetence-fueled tickets.
Leave It to the Professionals
One final note. While users who lack basic PC literacy are the source of endless frustration for IT pros, there's another breed of user that deserves an honorary mention: users who fancy themselves as IT experts. These users should refrain from applying the advanced performance "fixes" they stumbled across on the latest eHow blog post. Performance issues are our domain and are often caused by user activity on YouTube or other streaming video sites. Users, leave the registry and system files well alone. The alternative is, perhaps one day your friendly IT geek squad may snap and bring sweet justice to all involved. In the meantime, can't we all just get along?