The author’s reasoning is “if it was going to work, it would have worked by now. If ‘Educating Users’ is the strategy you plan to embark upon, you should expect to have to ‘patch’ your users every week. That’s dumb.” The author further suggests that users should simply not be given the permissions that would allow them to do any damage.

Addressing the last point first, we all can agree that the most secure computer is one that is powered off, unattached from the wall, and put in a secure vault. But that computer isn’t useful. I’m all for not making the secretary an ‘administrator/root’ user, but the reality is that unlike much of corporate America, our industry organizations often don’t have centralized IT departments for installing software and such - in many (but not all) cases, people need to control their own computers, and need the rights to administer them. I’m glad that NAR is hosting a session on PC security at the upcoming NAR Convention in San Francisco, and this education is NOT worthless.

Regarding the comment that “It would have worked by now,” I assert that it is working. The human factor will never be perfect, but with the amount of informatin/education becoming available in this area, I know more and more people that are smart enough to delete Worm-laden spam and/or defeat it with antivirus/anti-spyware software, and the more education people have the more difficult it will be for them to be fooled by phishing and more sophisticated human engineering techniques.

Is the idea of ‘patching’ your users by educating them every week dumb? Yes, it is. I generally advise clients to review one major security policy with employees/contractors every month (e.g. as a part of regular staff meetings), and otherwise only alert them to issues as needed. Weekly ‘patching’ is not needed.

The majority of IT security incidents can be traced back to user activity, and users need education to avoid risky activities and to become allies in the security effort. I’m not saying that education alone will get the job done - not at all. But to spend money on tools like firewalls and other such and ignore the people-oriented areas where most problems occur is foolishness.

This seems to be the “solution” many MLS organizations take.
But I would propose the wrong one.

Who owns the data? Who can set it free?

The homeowner wants their property on mls.
The Realtor wants the listings in front of their clients and on their websites.
The leaders of the technology such as yourself Mark are working on technological standards and access solutions and much more.
Web developers such as myself are trying to work with everyone and have everything persented in an organized, usable, and attractive persentation for the data to perform its purpose.

Many MLS associations state to the Realtor,
“No, you cannot have access.”

I guess this is limiting access as a control of data, but everyone loses. In many such cases the main office has the listings but in effect the Realtor is then limited by office procedures, or the lack of them?

Please excuse my lack of experience, but it’s how I am beginning to see it.