Teaching Employees New Security Tricks
To help fend off spam, viruses, identity theft and corporate sabotage, IT managers need to train company employees to protect themselves and the corporate network. But with budget cuts and understaffed IT departments, it's just not getting done. And that's leaving IT managers with even more headaches.
The problem is that is simply isn't happening.
Budget cuts and staffing shortages are making it difficult for IT managers to focus on anything beyond putting out daily fires and staying current with software updates, patches and security alerts. It's no wonder, say industry analysts, that there's no time to hold training sessions to teach people in finance, marketing and human resources to not fall prey to identity theft or the latest virus.
But the lack of training is causing those same IT managers even more headaches and even longer hours in the office.
Those daily fires are definitely torching any ideas of IT managers having enough time to hold training sessions, or even simply send out email alerts when new viruses or hoaxes rear their ugly heads.
An estimated 90 percent of IT managers reported in a recent survey that they provide no employee training on how to manage spam and junk mail, according to a report from SurfControl Plc, a Web and email filtering company with a U.S. base in Scotts Valley, Calif. And the report shows that they're forgoing training despite the fact that many employees may be dealing with more than 1,500 pieces of junk email each year -- and that's just from people they know.
''It's not just up to the IT people to keep the network secure anymore,'' says Susan Larson, vice president of global product content at SurfControl. ''This is a dynamic process of keeping employees aware... Several years ago, Internet use policies were not even in place. Now, 75 percent of companies have policies. But now they feel they can hand out the policies and that's enough.
''If employees don't understand how they can help, they become part of the problem,'' adds Larson. ''Employees are ultimately critical. It's not just 'my mailbox'. Multiply that by 10,000 users. Obviously, they shouldn't be answering spam. They shouldn't be using Outlook's Preview page because that sends tracking information back. There's a lot to it.''
And Dan Woolley, a vice president at network security company SilentRunner, says employees are a huge part of the problem. Workers use their corporate systems to shop online, fill out surveys and generally do things that spread their work email address around to be scooped up and used by spammers. They also are still being fooled by email chain letters promising them riches and airplane tickets if they forward the email on to 10 of their most gullible friends. They're still clicking on attachments infested with viruses and they're still sending out inappropriate email jokes and IMing with their mothers.
''We just don't do a good job of telling people how to avoid risks,'' says Woolley. ''They arrive at a new job. We hand them a system and expect them to know how to use it... Challenge them to think about these risks before you turn them loose in the office.''
Woolley says basic training needs to start with teaching people how to recognize spam, fraud and hoaxes. Then, he says, teach them about viruses, worms and Trojans. When employees hear these terms, what do they mean? What should they be alert for? What should they do when they think they've encountered one?
Social engineering is the next thing workers need to learn about. Someone intent on stealing corporate information is often quick to make employees unwitting accomplices. People need to know that they shouldn't leave their passwords written on Post-It notes stuck to their monitors. They should never give user names or passwords over the telephone. They shouldn't talk about network critical information when they're in the parking lot or smoking area.
''We need to talk about security on a routine basis,'' says Woolley. ''It needs to be a top priority for every corporation and it needs to come from the top down. People need to see that the CEO and CFO are concerned about it.''
Tony Magallanez, a systems engineer at F-Secure, Inc., a data security and anti-virus company, says training can't be a one-time proposition. He says security awareness needs to be part of new employee orientation and then training sessions for all employees should be held periodically. Add to that, email alerts to end users, keeping them updated about the threat of new viruses, spam tactics and hoaxes.
Larson adds that end users need to understand about tracking methods. When they click on an ad, it could have sophisticated tracking mechanisms that will add to the amount of spam coming in. She also notes that employees need to know that they shouldn't be shopping online with company equipment because company account information could be harvested.
''Every company should be working this into their schedule as best they can,'' says Larson. ''Make employees understand they are a valuable part of the solution. You need to get them invested in protecting the network.''