Thursday, October 10, 2024

Teaching Employees New Security Tricks

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

To help fend off spam, viruses, identity theft and corporate sabotage, IT managers need to

train company employees to protect themselves and the corporate network.

The problem is that is simply isn’t happening.

Budget cuts and staffing shortages are making it difficult for IT managers to focus on

anything beyond putting out daily fires and staying current with software updates, patches

and security alerts. It’s no wonder, say industry analysts, that there’s no time to hold

training sessions to teach people in finance, marketing and human resources to not fall prey

to identity theft or the latest virus.

But the lack of training is causing those same IT managers even more headaches and even

longer hours in the office.

”It’s critical that IT managers focus on education, despite the constant pressure,” says

Chris Belthoff, a senior security analyst with Sophos, Inc., an anti-virus software company

based in Lynnfield, Mass. ”Training, in the end, is going to benefit their department.

Educated end users will reduce the amount of issues and fires they have to put out.”

Those daily fires are definitely torching any ideas of IT managers having enough time to

hold training sessions, or even simply send out email alerts when new viruses or hoaxes rear

their ugly heads.

An estimated 90 percent of IT managers reported in a recent survey that they provide no

employee training on how to manage spam and junk mail, according to a report from

SurfControl Plc, a Web and email filtering company with a U.S. base in Scotts Valley, Calif.

And the report shows that they’re forgoing training despite the fact that many employees may

be dealing with more than 1,500 pieces of junk email each year — and that’s just from

people they know.

”It’s not just up to the IT people to keep the network secure anymore,” says Susan Larson,

vice president of global product content at SurfControl. ”This is a dynamic process of

keeping employees aware… Several years ago, Internet use policies were not even in place.

Now, 75 percent of companies have policies. But now they feel they can hand out the policies

and that’s enough.

”If employees don’t understand how they can help, they become part of the problem,” adds

Larson. ”Employees are ultimately critical. It’s not just ‘my mailbox’. Multiply that by

10,000 users. Obviously, they shouldn’t be answering spam. They shouldn’t be using Outlook’s

Preview page because that sends tracking information back. There’s a lot to it.”

And Dan Woolley, a vice president at network security company SilentRunner, says employees

are a huge part of the problem. Workers use their corporate systems to shop online, fill out

surveys and generally do things that spread their work email address around to be scooped up

and used by spammers. They also are still being fooled by email chain letters promising them

riches and airplane tickets if they forward the email on to 10 of their most gullible

friends. They’re still clicking on attachments infested with viruses and they’re still

sending out inappropriate email jokes and IMing with their mothers.

”We just don’t do a good job of telling people how to avoid risks,” says Woolley. ”They

arrive at a new job. We hand them a system and expect them to know how to use it…

Challenge them to think about these risks before you turn them loose in the office.”

Woolley says basic training needs to start with teaching people how to recognize spam, fraud

and hoaxes. Then, he says, teach them about viruses, worms and Trojans. When employees hear

these terms, what do they mean? What should they be alert for? What should they do when they

think they’ve encountered one?

Social engineering is the next thing workers need to learn about. Someone intent on stealing

corporate information is often quick to make employees unwitting accomplices. People need to

know that they shouldn’t leave their passwords written on Post-It notes stuck to their

monitors. They should never give user names or passwords over the telephone. They shouldn’t

talk about network critical information when they’re in the parking lot or smoking area.

”We need to talk about security on a routine basis,” says Woolley. ”It needs to be a top

priority for every corporation and it needs to come from the top down. People need to see

that the CEO and CFO are concerned about it.”

Tony Magallanez, a systems engineer at F-Secure, Inc., a data security and anti-virus

company, says training can’t be a one-time proposition. He says security awareness needs to

be part of new employee orientation and then training sessions for all employees should be

held periodically. Add to that, email alerts to end users, keeping them updated about the

threat of new viruses, spam tactics and hoaxes.

Larson adds that end users need to understand about tracking methods. When they click on an

ad, it could have sophisticated tracking mechanisms that will add to the amount of spam

coming in. She also notes that employees need to know that they shouldn’t be shopping online

with company equipment because company account information could be harvested.

”Every company should be working this into their schedule as best they can,” says Larson.

”Make employees understand they are a valuable part of the solution. You need to get them

invested in protecting the network.”

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles