For those of us who work in IT, one of the biggest aspects of our job is making sure our users have an easy experience when it comes to using the network. Our main goal is to make it easier for them to carry out their daily tasks by providing them a solid technological foundation. At some point, though, we inevitably end up doing something or giving them access because it’s easier on us. That’s where we get into trouble.
During almost every security assessment we have done, we find that there are things in place that are very much a “you should know better” situation. One of the biggest examples is password policies. We very often go into a network and find that there is either a very lax policy in place, or none at all. When we bring it to the attention of the IT department, their response is very often, “It made our users mad to have a strong password, so we turned it off.” This, as we all should know, is unacceptable. Yes, it’s sometimes frustrating to have to remember a complex password. In a perfect world we wouldn’t need passwords at all, because everyone would be trustworthy. Unfortunately, we have to be realistic. We don’t implement strong passwords because we enjoy making our users work harder. We do it to protect them, and to protect our network.
When we are presented with the response that it made the users upset, I think of it like this: Did your mom ever give you a choice of eating fruit and vegetables? Most likely not. She knew you didn’t like it, and she probably didn’t want to force you to do it, but she also knew that eating those fruits and vegetables was better for you. She had the authority, and you obeyed. Working in IT is no different. When it comes to the network, you are the parent. Don’t do things because it’s easier on your users if it means sacrificing the security of your network. If you do, you’ll end up with a network full of cavities.