When you’ve spent sufficient time in our industry segment to be recognized by your friends and colleagues as “a tech guy,” you’ll inevitably experience a surreal encounter where someone solicits your opinion on business technology under very odd circumstances. My morning started with one of those events … in a dentist’s chair, of all places.
I’d been putting off having a filling done for a month due to demands at the office. I finally agreed to get the procedure out of the way today. After exchanging pleasantries with the dentist and her staff, I was shown to a chair, checked, numbed up … and asked my opinion on whether or not an iPhone could crash a server. Despite being nearly incomprehensible thanks to all the pain blockers, I was captivated by the dentist’s story. Supposedly, one of the junior staff members had needed to recharge her personal mobile the night before, and – not knowing anything about computers – had attached her USB cable directly into the officer server, knocking it off-line. Supposedly, the practice’s regular “tech guy” had been remotely mucking about with the server deep into the night trying to sort it out, and needed to fly in with a replacement machine later in the day. All because of a rogue mobile phone, supposedly.
I have to admit … as ludicrous as it was to be asked for a considered opinion on technology with a spinning drill inside my top teeth, I was quite taken with the problem. That the server was “down” might or might not actually be true; I could tell by the state of the PCs around the office that the practice was running on obsolete tech. Most likely, the old Small Office Server 2003 box had simply shaken itself apart, and the errant iPhone charger was only proximal and not causal.
The more important problem, as I saw it at the time, was determining how on earth the connection had been made in the first place. How had a line-level employee physically accessed the business’s only production server? Wasn’t it secured from casual access? Was it not clearly marked as not for routine use? Why were USB ports on the server not at least blocked off with a strip of tape?
More importantly, why did the employee believe that it was kosher to connect a personally-owned device into one of the business’s PCs? Wasn’t that use contraindicated under the company’s Acceptable Use Policy? Was the employee ever taught about proper and improper use during their on-boarding with the company? Was it discussed in the employees’ recurring IT proficiency and security training? Were there any notices posted around the business reminding the employees to protect critical business systems? Had any other employee seen what was happening and spoken up?
The more I drilled down into the problem (sorry), the more I learned. This particular business was clearly dependent on technical equipment to function – without a network server to store their digital X-ray films, for example, they couldn’t determine when a filling might be required. Without an outside Internet connection, they couldn’t process insurance payments. Without the calendar function on their Exchange server, they couldn’t book new patient appointments, and so on. That server should have been a critical element under the business’s Continuity of Operations Plan … but they didn’t have one of those either.
These people weren’t fools by any stretch; they were all very talented dental health professionals. I’ve been using this same dentist for the last five years or so and their quality of care has consistently been excellent. These people aren’t technologists, by trade; they knew that they needed business and healthcare information systems and hired another small business “consultant” to set them up with … something. They didn’t hire a staff IT manager. Didn’t train a local sysadmin, either. When pressed, none of the nurses I spoke with could even map the production network or list the running services. That’s a very, very dangerous place to be … You’re utterly dependent on key tools for the operation of your business, and you don’t know how they work. I’ve seen the same problem in nearly every small business I’ve visited over the last twenty years.
As if this wasn’t disturbing enough, recent trends in workplace behavior suggest that collisions between production and personal IT equipment are only going to increase. Back on May second, I attended VMware’s event in Dallas where the keynote presenter spoke to a packed room about the criticality of embracing the idea of “Bring Your Own Device” (BYOD) computing. By now the speaker enthused, all of our employees would be bringing smart phones and tablets into the workplace and would demand (demand!) that we, the IT department, deliver all of our corporate IT services directly to their personal, unmanaged, non-secure, untracked end-points. Good for us, then, that VMware has the industry’s best solution for accommodating all of those poxy iPads (I’m paraphrasing, obviously).
While I agree with VMware that there’s a huge demand to push corporate IT out to a greater quantity and range of end points, I respectfully disagree that we (in IT) should been any particular need to open our sensitive production networks up to ungoverned devices. That said, I agree completely with his assertion that employees are beginning to bring their devices in to the office whether they’re allowed to actually use them for work or not. The dentist’s office was a beautiful example of that.
Additionally, the dentist’s situation shows us all what can happen when a small business don’t put into place the most basic of IT policies and procedures. All organizations, no matter the size, have a telling need to invest up-front in crafting basic policies, user training materials, advisories, and a culture of security awareness. If you train your people as part of their orientation in the essentials of recognizing and protecting critical systems and information, they’ll be (at least) reasonably prepared to recognize and properly react to potential new threats.
I’m not likely to leave my dentist over this little systems failure, but I do plan to have a chat with her before my next appointment about the need to get off Windows XP … and encrypting our patient data … and perhaps a few words about locking up the server. Before she starts drilling, though.
Keil Hubert is a business, security and technology operations consultant in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo! Broadcast, and helped launch four small businesses (including his own). His experience creating and leading IT teams in the defence, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employees. He currently commands a small IT support organization for a military agency, where his current focus is mentoring technical specialists into becoming credible, corporate team leaders.