Teaching Employees New Security Tricks

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
To help fend off spam, viruses, identity theft and corporate sabotage, IT managers need totrain company employees to protect themselves and the corporate network.

The problem is that is simply isn't happening.

Budget cuts and staffing shortages are making it difficult for IT managers to focus onanything beyond putting out daily fires and staying current with software updates, patchesand security alerts. It's no wonder, say industry analysts, that there's no time to holdtraining sessions to teach people in finance, marketing and human resources to not fall preyto identity theft or the latest virus.

But the lack of training is causing those same IT managers even more headaches and evenlonger hours in the office.

''It's critical that IT managers focus on education, despite the constant pressure,'' saysChris Belthoff, a senior security analyst with Sophos, Inc., an anti-virus software companybased in Lynnfield, Mass. ''Training, in the end, is going to benefit their department.Educated end users will reduce the amount of issues and fires they have to put out.''

Those daily fires are definitely torching any ideas of IT managers having enough time tohold training sessions, or even simply send out email alerts when new viruses or hoaxes reartheir ugly heads.

An estimated 90 percent of IT managers reported in a recent survey that they provide noemployee training on how to manage spam and junk mail, according to a report fromSurfControl Plc, a Web and email filtering company with a U.S. base in Scotts Valley, Calif.And the report shows that they're forgoing training despite the fact that many employees maybe dealing with more than 1,500 pieces of junk email each year -- and that's just frompeople they know.

''It's not just up to the IT people to keep the network secure anymore,'' says Susan Larson,vice president of global product content at SurfControl. ''This is a dynamic process ofkeeping employees aware... Several years ago, Internet use policies were not even in place.Now, 75 percent of companies have policies. But now they feel they can hand out the policiesand that's enough.

''If employees don't understand how they can help, they become part of the problem,'' addsLarson. ''Employees are ultimately critical. It's not just 'my mailbox'. Multiply that by10,000 users. Obviously, they shouldn't be answering spam. They shouldn't be using Outlook'sPreview page because that sends tracking information back. There's a lot to it.''

And Dan Woolley, a vice president at network security company SilentRunner, says employeesare a huge part of the problem. Workers use their corporate systems to shop online, fill outsurveys and generally do things that spread their work email address around to be scooped upand used by spammers. They also are still being fooled by email chain letters promising themriches and airplane tickets if they forward the email on to 10 of their most gulliblefriends. They're still clicking on attachments infested with viruses and they're stillsending out inappropriate email jokes and IMing with their mothers.

''We just don't do a good job of telling people how to avoid risks,'' says Woolley. ''Theyarrive at a new job. We hand them a system and expect them to know how to use it...Challenge them to think about these risks before you turn them loose in the office.''

Woolley says basic training needs to start with teaching people how to recognize spam, fraudand hoaxes. Then, he says, teach them about viruses, worms and Trojans. When employees hearthese terms, what do they mean? What should they be alert for? What should they do when theythink they've encountered one?

Social engineering is the next thing workers need to learn about. Someone intent on stealingcorporate information is often quick to make employees unwitting accomplices. People need toknow that they shouldn't leave their passwords written on Post-It notes stuck to theirmonitors. They should never give user names or passwords over the telephone. They shouldn'ttalk about network critical information when they're in the parking lot or smoking area.

''We need to talk about security on a routine basis,'' says Woolley. ''It needs to be a toppriority for every corporation and it needs to come from the top down. People need to seethat the CEO and CFO are concerned about it.''

Tony Magallanez, a systems engineer at F-Secure, Inc., a data security and anti-viruscompany, says training can't be a one-time proposition. He says security awareness needs tobe part of new employee orientation and then training sessions for all employees should beheld periodically. Add to that, email alerts to end users, keeping them updated about thethreat of new viruses, spam tactics and hoaxes.

Larson adds that end users need to understand about tracking methods. When they click on anad, it could have sophisticated tracking mechanisms that will add to the amount of spamcoming in. She also notes that employees need to know that they shouldn't be shopping onlinewith company equipment because company account information could be harvested.

''Every company should be working this into their schedule as best they can,'' says Larson.''Make employees understand they are a valuable part of the solution. You need to get theminvested in protecting the network.''

Submit a Comment

Loading Comments...