You: You’re a system administrator for a large insurance company that offers travel insurance. One day, you notice an uptick in bots accessing your website. Although these bots are doing nothing but crawling your website, you are slightly frightened that other bots could be attempting to hack you. Using your state-of-the-art monitoring and analytics system, you notice that these bots are mostly coming from Asia. Your company isn’t based in Asia, so you think to yourself: well golly, I’ll just configure my state-of-the-art Web Application Firewall (WAF) to block all traffic come from Asia. We’re not based in Asia after all, so why should we serve any traffic from there? Case Closed.
Me: I’m a policyholder of your company’s travel insurance. Currently, I’m in Asia, sitting in a hospital trying to initiate a claim. The hospital is demanding a case number from your insurance company before it can continue helping me. No matter how I access your website, it refuses to load, and offers only the message “WAF” – whatever that is; the page is completely blank except for those three letters. I have insurance specifically to be used in the case of a medical incident while outside of the country that I’ve bought the insurance for (travel insurance). Fed up with trying to initiate a claim via the website, I attempt to call your insurance company. But how do I call an international number, especially from a hospital, when I don’t have an international contract? Oh.
It’s a (partially true) story of a mistake made by people that are clueless to how their products and services are actually used by others, and how seemingly innocent changes can have extremely negative consequences. Sometimes, the people that are responsible for these things simply aren’t qualified for the environment they are in, and can’t envision the effect of their actions in a (literally or figuratively) global scale. Seeing the whole picture is hard.