Veteran MSP insider and Principal Strategist at JumpCloud Chris Tate, talks about a common "user error" theme in the MSP industry and asks whether it has stood the test of time.
If you ever worked on a help desk, or service desk to give it the full ITIL terminology, you will no doubt have heard a colleague say, “this is a classic case of PICNIC” before leaning back on their chair and waiting for a reaction as if they were some kind of latter day Oscar Wilde.
The first time I heard it, I didn’t know what it meant, although thinking about it that is true for every phrase I’ve ever heard.
I must have asked someone as there was no Google when I worked in that role, no Ask Jeeves, No AltaVista, Yahoo!, Lycos, Infoseek etc etc. We were on our own back in the day, imagine that. In fact, I can’t imagine that, I almost had to Google “How did we manage before Google?”
There has been a long standing tradition of blaming the user for something that’s not necessarily their fault.
No doubt when I found out it was an acronym for “Problem In Chair, Not In Computer” I fell about laughing and cracked open a can of Tab Clear or munched on some other early 90’s reference item because this is how far back I’m going.
What I’m trying to say is there has been a long standing tradition of blaming the user for something that’s not necessarily their fault.
So, it got me thinking, do people still say PICNIC or not? Is there still a “Problem in Chair” and that’s not just because a lot of people now use standing desks or balance on a big ball.
The first thing that comes to mind when considering end users is that they are probably not as “into computers”, as my grandma used to say, as we are. If you’re reading this, one one of your many screens, you are probably working in the IT industry, and probably at a MSP or vendor who works with MSPs. I’ve done both by the way, so I am speaking from experience.
For the end user, their computer and software they use is a way to get their job done, it’s a tool and they want it to work efficiently and reliably. Security probably isn’t top of mind for them when they log on in the morning.
As an example, if they are asked by their employer or their MSP to use long and complex passwords for every application, they will probably write them down on a sticky note or something. It’s human nature, anything for an easy life.
So, if there is a breach of security because a user is using a weak password or compromised because it was written down on a scrap of paper, is that a “Problem In Chair” or a problem with the system, or the process?
What should of course happen is that the user has tools available to allow them to do their job securely but without adding friction. In the example above we are talking about a secure password manager, or even better, a Single Sign on solution that is authenticated by biometrics in some way.
They shouldn’t be thinking about security, they should be thinking about getting on with their job by accessing applications and services they need while keeping the corporate data secure.
Another example is with phishing via email, these are becoming much more sophisticated and look more realistic, so while it’s important to train users about the dangers of phishing, how to deal with suspicious emails and not to click everything interesting that pops into their inbox. It’s also important to ensure that systems are in place to prevent the user ever seeing the dodgy email in the first place, but also to protect them if (and when) they do click something they shouldn’t.
We would refer to this as Email Protection,Phishing Protection, DNS Filtering, Web Content Filtering and a million other terms, but the user wouldn’t, they would just see this as them getting their job done.
We all have a role to play in making this happen, MSPs need to continue to educate and train their clients about the risks and vendors need to ensure that the products they create are designed to be simple and intuitive to use for end users, this will prevent the need for them to create less secure ways around problems, like using sticky notes.
So, is PICNIC still used? I’m not sure to be honest , things were certainly simpler in a pre-internet connected world when supporting end users. Back then the issues were mainly around tasks such as printing documents and how to do this or that. So when you next have a security issue in one of your clients, rather than assume it's a simple user error, consider if there were things that could have been done differently from your side.