Teaching Employees New Security Tricks

To help fend off spam, viruses, identity theft and corporate sabotage, IT managers need to

train company employees to protect themselves and the corporate network.

The problem is that is simply isn’t happening.

Budget cuts and staffing shortages are making it difficult for IT managers to focus on

anything beyond putting out daily fires and staying current with software updates, patches

and security alerts. It’s no wonder, say industry analysts, that there’s no time to hold

training sessions to teach people in finance, marketing and human resources to not fall prey

to identity theft or the latest virus.

But the lack of training is causing those same IT managers even more headaches and even

longer hours in the office.

”It’s critical that IT managers focus on education, despite the constant pressure,” says

Chris Belthoff, a senior security analyst with Sophos, Inc., an anti-virus software company

based in Lynnfield, Mass. ”Training, in the end, is going to benefit their department.

Educated end users will reduce the amount of issues and fires they have to put out.”

Those daily fires are definitely torching any ideas of IT managers having enough time to

hold training sessions, or even simply send out email alerts when new viruses or hoaxes rear

their ugly heads.

An estimated 90 percent of IT managers reported in a recent survey that they provide no

employee training on how to manage spam and junk mail, according to a report from

SurfControl Plc, a Web and email filtering company with a U.S. base in Scotts Valley, Calif.

And the report shows that they’re forgoing training despite the fact that many employees may

be dealing with more than 1,500 pieces of junk email each year — and that’s just from

people they know.

”It’s not just up to the IT people to keep the network secure anymore,” says Susan Larson,

vice president of global product content at SurfControl. ”This is a dynamic process of

keeping employees aware… Several years ago, Internet use policies were not even in place.

Now, 75 percent of companies have policies. But now they feel they can hand out the policies

and that’s enough.

”If employees don’t understand how they can help, they become part of the problem,” adds

Larson. ”Employees are ultimately critical. It’s not just ‘my mailbox’. Multiply that by

10,000 users. Obviously, they shouldn’t be answering spam. They shouldn’t be using Outlook’s

Preview page because that sends tracking information back. There’s a lot to it.”

And Dan Woolley, a vice president at network security company SilentRunner, says employees

are a huge part of the problem. Workers use their corporate systems to shop online, fill out

surveys and generally do things that spread their work email address around to be scooped up

and used by spammers. They also are still being fooled by email chain letters promising them

riches and airplane tickets if they forward the email on to 10 of their most gullible

friends. They’re still clicking on attachments infested with viruses and they’re still

sending out inappropriate email jokes and IMing with their mothers.

”We just don’t do a good job of telling people how to avoid risks,” says Woolley. ”They

arrive at a new job. We hand them a system and expect them to know how to use it…

Challenge them to think about these risks before you turn them loose in the office.”

Woolley says basic training needs to start with teaching people how to recognize spam, fraud

and hoaxes. Then, he says, teach them about viruses, worms and Trojans. When employees hear

these terms, what do they mean? What should they be alert for? What should they do when they

think they’ve encountered one?

Social engineering is the next thing workers need to learn about. Someone intent on stealing

corporate information is often quick to make employees unwitting accomplices. People need to

know that they shouldn’t leave their passwords written on Post-It notes stuck to their

monitors. They should never give user names or passwords over the telephone. They shouldn’t

talk about network critical information when they’re in the parking lot or smoking area.

”We need to talk about security on a routine basis,” says Woolley. ”It needs to be a top

priority for every corporation and it needs to come from the top down. People need to see

that the CEO and CFO are concerned about it.”

Tony Magallanez, a systems engineer at F-Secure, Inc., a data security and anti-virus

company, says training can’t be a one-time proposition. He says security awareness needs to

be part of new employee orientation and then training sessions for all employees should be

held periodically. Add to that, email alerts to end users, keeping them updated about the

threat of new viruses, spam tactics and hoaxes.

Larson adds that end users need to understand about tracking methods. When they click on an

ad, it could have sophisticated tracking mechanisms that will add to the amount of spam

coming in. She also notes that employees need to know that they shouldn’t be shopping online

with company equipment because company account information could be harvested.

”Every company should be working this into their schedule as best they can,” says Larson.

”Make employees understand they are a valuable part of the solution. You need to get them

invested in protecting the network.”

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020