Credit: Ben Barbante
Show, don't tell: Sometimes it's the only way to get through to security clients. Otherwise, it's like talking to a brick wall -- many people don't believe a security breach could happen to them and, instead, dismiss our recommendations and warnings. Only when their information is compromised do they become a powerful advocate in spreading the word about taking proper security measures.
At one point in my career, I was employed as a contractor, including at a company that handled maintenance work for large corporations in their buildings. Unfortunately, this client didn't seem to understand the importance of updating its security measures.
[ For more stories about exasperating IT jobs, check out "10 users IT hates to support." | Pick up a $50 American Express Gift Cheque if we publish your tech story: Send it to email@example.com. | Get your weekly dose of workplace shenanigans by following Off the Record on Twitter and subscribing to the anonymous Off the Record newsletter. ]
We were hired to manage the client's computer systems, but the company didn't want anything changed that wasn't already broken. Even though we offered warnings and suggested updates, we were waved away.
The company used ancient antivirus software, which -- in its estimation -- still worked just fine. The client continually wanted ports opened in the firewall without heed to the repercussions or alternatives. For our own sake, we kept a paper trail of all of this, noting the warnings in writing and getting sign-off for every move.
It wasn't too surprising when one day I answered a call from the company and heard a panicked voice saying a virus had hit employees' computers. Also not surprising: Being blamed for the old, out-of-date antivirus software. The client argued it was our fault for not preventing this; therefore, the company shouldn't have to pay us to fix it.
We'd been prepared for this possibility, so it was easy to grab the company's file on my way over. When I got there, I showed the bosses the copies of their old work orders, complete with their signatures and our warnings about the antivirus software. "No, this isn't a free service call. We warned you about this on multiple occasions. I'm sorry, but I have to bill this out." They quit arguing, and I got to work.
As I discovered, the virus had come in via email, inside an infected document. I recognized it from prior research and knew several of its characteristiscs: It spread by randomly emailing documents on any drive to addresses on any contacts list it could find, it kept a text log of the email addresses it tried to infect, the documents were not corrupted and could be recovered, and private information was often in the documents that were mailed out to random people.