But does it scream? I agree it's obvious to me but I can bit-bang the SMTP protocol from memory. I'm not exactly normal. Just because something is obvious to you or me doesn't make it obvious to everyone.
If you're on tech support and have the keys to every tenant I expect basic proficiency.
Uber, a multi billion dollar company, has a decent self service, team management site. If they took a look at the tenant they would see that 1. There is an owner already. 2. The staff account is actively in use, like right now, accepting orders. 3. The email addresses associated with them.
This isn't a chef / line cook not being able to handle the control panel, this is god tier admin blindly adding owners to tenants.
If we disagree on this minimum skill requirement, to follow basic rules and not react to a "hi giev access please" email, then we have to agree to disagree.
We all want that ideal blame-free culture, but then a user fails a second time and we quickly resort to "stupid support agent didn't follow the rules again".
The second time was agent not following a big red flag on file on our profile. Require a PIN before doing anything, because you know, we got owned by their call center already.
And that is a systemic issue yes, but again, I expect better from god tier admins, most reply guys don't have that level of access to their systems. This isn't front line staff helping drivers or ride hailers resetting their account, this is about multi store tenants bringing a million+ in annual revenue, with its own 24/7 incl weekend and holidays hotline and assigned account managers, people we sat down with and had a meal together.
We didn't chase the account manager down to get the agent in trouble, we did so to figure out wtf happened and how to prevent a third time.
But I do have a lot of concerns about the idea of shared responsibility, because I've seen it used as a weapon to shift blame from the people who can actually make a difference, and as an excuse to not spend more money on proper security controls and personnel.
If people bend shared responsibility into it's always the user's fault, it's that company's culture problem, not the idea of shared responsibility.
In the case of a .pdf.exe, there isn't a scanner that catches everything and we only notice when it does fail. What's the next step, just lock out everyone to everything and whitelist applications? That's a rather Draconian rule and one that causes everyone a lot more work. Of we keep it practical, "hey, you can do anything except sudo/admin access, and be careful alright."
This pragmatic option depends on shared responsibility. On our own incidents, the user is apologetic, know shit happened and called for help. We fix it, don't give him shit and remind everyone else what to watch out for. The one who was pwned doesn't need the reminder, he certainly will be more careful from now on.
What's the alternative? User goes, eh, shouldn't have allowed me to do this? Full lockdown kiosk mode, browser only by default for all staff?
We actually did consider deploying Linux but it's still not mature enough yet, and if there's trouble, it is much harder to find others with the same issue just because of the install base. And we regularly need to use MS Office, especially the office with finance, hr staff and managers. So for now, the pragmatic choice wins.
Some issues you can fix with tech. If you rely too much on tech alone, you get different issues - Google's security is good, and you can do almost everything yourself, but find yourself on the wrong side, locked out, and it's good luck getting in touch with a human.
on the audit form. Everyone needs to be on alert, when "Uber Eats" calls and wants your 2FA code, say no, let me (the boss) know immediately so I can send out an alert on the staff channels. I even received a reminder not to let "Uber Eats support" swap out your tablet, apparently this is a thing, they just enter your premises with a spare tablet and take away your logged in one, a very physical version of session hijacking.