Once again, I've been reminded about how big the knowledge gap is between those of us who support computers on a daily basis and those who use computers as the office tools they're meant to be. One thing I do to stay involved with end-user concerns is provide gratis technical support for several small nonprofit organizations in my area. These organizations range in size from 3 to 25 computers and use a broad enough mix of OSs and applications to give me a good idea about what's going on in the more generic end-user community that I usually work with.
I've done my best to protect these organizations from external attacks by keeping their firewalls heavily locked down and making sure that their antivirus scan programs are in place and regularly updated. I accomplish most of my support remotely, by dialing in to an organization's network and working with one or two people on site whom I trust to follow my directions for fixing or maintaining computers and solving day-to-day problems that require a human's presence. I still make it a practice to stop by each office approximately every 4 to 6 weeks, even if everything seems to be going fine.
I got on the phone with all of these organizations when the MSBlaster and SoBig viruses were making their initial rounds. I made certain that every one of these organization's users who had a susceptible computer had downloaded the latest hotfixes, that each organization's antivirus software had been updated, and that each organization's network and users were neither the originators nor the targets of any attacks. Everyone I talked to apparently followed my advice, because none of these organizations reported any problems from those last two major virus outbreaks.
Finding some free time in my schedule last week, I visited each of these organizations over the course of a few days. Much to my chagrin, I found that almost no user who was running Windows XP--and the number of these users translates to more than 100 end-user computers--had ever bothered to click the system tray icon that told them that new updates were ready to be installed. All these users had followed the instructions I had given when I talked to them about the major virus attacks, but because no one had given explicit directions about software updates, these users hadn't bothered to install the post-big-attack fixes that Microsoft released.
I made a decision to do something I once thought I would never suggest. I walked all of these users through configuring Automatic Updates to download and install updates on a specified schedule, without prompting. Although this capability is built into XP's Automatic Updates feature, I prefer to be notified before the updates are installed so that I can see what's going on. I realized that none of these users would have a clue about what the update descriptions mean, but I would rather have to fix a computer that crashes because of an update than deal with the consequences of a virus set loose because of an unpatched security bug.
Configuring the new settings wasn't as simple as I hoped. Many of the computers I wanted to reconfigure were turned off at the end of the workday, which meant that setting updates to install at 3:00 a.m. wasn't an option. So, I decided to configure updates to install at lunchtime, when I could be reasonably certain that each computer would be switched on, and when I hoped that if a reboot was required, it would intrude minimally in the user's workday.
A better mechanism for making sure that business systems are patched and updated is yet to be created. However, through working with people who neither know nor care about how their computers work, as opposed to marginally knowledgeable business users, I've gained a certain appreciation for the obstacles that stand in the way of designing a patching system suitable for all users.
