The Problem with Prevention (IT Security)

4 minute read

Working in IT is most certainly an interesting job and like any other, has its ups and downs. Today, I am going to be talking about what is (at least to me) one of the most difficult parts of the job. There’s a nice thing about technology and that is that it’s logical. It may not always be immediately obvious – or even obvious after a while, but all problems have a cause. Nothing “just happens” (…okay, sometimes it’s so hard to find the problem that you give up and replace the stupid thing instead).

Anyway, there are a few potential causes of these problems. Probably the most common of which is people. Whether we like to admit it or now, we cause the vast majority of problems. Next up is the hardware, it will fail – it does fail. Finally, there’s the software, it could be bugs, security vulnerabilities or something else – it also goes wrong. This is why people like me are around, in an ideal world you wouldn’t see us, need us or know we are around. We would love to be able to operate in the shadows keeping everything going. But, unfortunately, things do go wrong.


Take a look at people like Microsoft, how often does their website go down? Or, how often do people who follow good practices (which are common sense) get ransomware, viruses or lose data? The answer is: pretty much never. This is because they build their systems to be resilient and/or redundant and more importantly; they maintain them and care about security. Now, this may sound really complicated but it really isn’t. The fact is, if you have a car, you lock it, you MOT and tax it and so on. Why not do the equivalent for a computer?


Now, the point where I get to complain.

The recent ransomware outbreak was only possible on systems that didn’t update recently. In response to IT Pros saying that people should update their systems lots of people said “Updating causes more problems than malware”. What? You’d prefer it to be the other way round?

For all of us, IT costs money and it’s not cheap either. Nearly everyone’s willing to pay money to enable them – an email server for a business or a laptop for home perhaps. But most people won’t pay the costs to protect them; at least until it’s too late. This brings me on to the next “excuse”… “That’s never happened in the X years we’ve had it”. It’s a real problem. How do you get someone to realise that this thing is actually something they really should have or do? It’s a direct cost to them. No one profits from it.

It’s amazing how in response to this recent ransomware attack (once it’s too late I might add) how many people have asked me to check, quote and secure their systems. This is no different from any other case, something goes wrong which they could easily have avoided, they lose everything then they start backing up for example.


There are many more examples I could give but I think I’ve made my point. It puts us (IT Pros) in a very tricky situation. Obviously we don’t want you to lose any of your company data or family photos and we really don’t like the whole “Why didn’t you say/do something so this didn’t happen?!” situation that results from this. Here’s an example, last Friday upon hearing about the new ransomware I wanted to go and check a couple of things on the server of one of the companies I manage. I didn’t get paid for that and I wouldn’t have if I had said a month before and that’s because people don’t see the necessity of it. Fact is, paying an IT Pro to prevent something will be cheaper that the costs resulting from recovering if and when something does go wrong.

(Thanks to those people who do follow good security practices and to those who have read this far.)