To help fend off spam, viruses, identity theft and corporate sabotage, IT managers need to
train company employees to protect themselves and the corporate network.
The problem is that is simply isn’t happening.
Budget cuts and staffing shortages are making it difficult for IT managers to focus on
anything beyond putting out daily fires and staying current with software updates, patches
and security alerts. It’s no wonder, say industry analysts, that there’s no time to hold
training sessions to teach people in finance, marketing and human resources to not fall prey
to identity theft or the latest virus.
But the lack of training is causing those same IT managers even more headaches and even
longer hours in the office.
”It’s critical that IT managers focus on education, despite the constant pressure,” says
Chris Belthoff, a senior security analyst with Sophos, Inc., an anti-virus software company
based in Lynnfield, Mass. ”Training, in the end, is going to benefit their department.
Educated end users will reduce the amount of issues and fires they have to put out.”
Those daily fires are definitely torching any ideas of IT managers having enough time to
hold training sessions, or even simply send out email alerts when new viruses or hoaxes rear
their ugly heads.
An estimated 90 percent of IT managers reported in a recent survey that they provide no
employee training on how to manage spam and junk mail, according to a report from
SurfControl Plc, a Web and email filtering company with a U.S. base in Scotts Valley, Calif.
And the report shows that they’re forgoing training despite the fact that many employees may
be dealing with more than 1,500 pieces of junk email each year — and that’s just from
people they know.
”It’s not just up to the IT people to keep the network secure anymore,” says Susan Larson,
vice president of global product content at SurfControl. ”This is a dynamic process of
keeping employees aware… Several years ago, Internet use policies were not even in place.
Now, 75 percent of companies have policies. But now they feel they can hand out the policies
and that’s enough.
”If employees don’t understand how they can help, they become part of the problem,” adds
Larson. ”Employees are ultimately critical. It’s not just ‘my mailbox’. Multiply that by
10,000 users. Obviously, they shouldn’t be answering spam. They shouldn’t be using Outlook’s
Preview page because that sends tracking information back. There’s a lot to it.”
And Dan Woolley, a vice president at network security company SilentRunner, says employees
are a huge part of the problem. Workers use their corporate systems to shop online, fill out
surveys and generally do things that spread their work email address around to be scooped up
and used by spammers. They also are still being fooled by email chain letters promising them
riches and airplane tickets if they forward the email on to 10 of their most gullible
friends. They’re still clicking on attachments infested with viruses and they’re still
sending out inappropriate email jokes and IMing with their mothers.
”We just don’t do a good job of telling people how to avoid risks,” says Woolley. ”They
arrive at a new job. We hand them a system and expect them to know how to use it…
Challenge them to think about these risks before you turn them loose in the office.”
Woolley says basic training needs to start with teaching people how to recognize spam, fraud
and hoaxes. Then, he says, teach them about viruses, worms and Trojans. When employees hear
these terms, what do they mean? What should they be alert for? What should they do when they
think they’ve encountered one?
Social engineering is the next thing workers need to learn about. Someone intent on stealing
corporate information is often quick to make employees unwitting accomplices. People need to
know that they shouldn’t leave their passwords written on Post-It notes stuck to their
monitors. They should never give user names or passwords over the telephone. They shouldn’t
talk about network critical information when they’re in the parking lot or smoking area.
”We need to talk about security on a routine basis,” says Woolley. ”It needs to be a top
priority for every corporation and it needs to come from the top down. People need to see
that the CEO and CFO are concerned about it.”
Tony Magallanez, a systems engineer at F-Secure, Inc., a data security and anti-virus
company, says training can’t be a one-time proposition. He says security awareness needs to
be part of new employee orientation and then training sessions for all employees should be
held periodically. Add to that, email alerts to end users, keeping them updated about the
threat of new viruses, spam tactics and hoaxes.
Larson adds that end users need to understand about tracking methods. When they click on an
ad, it could have sophisticated tracking mechanisms that will add to the amount of spam
coming in. She also notes that employees need to know that they shouldn’t be shopping online
with company equipment because company account information could be harvested.
”Every company should be working this into their schedule as best they can,” says Larson.
”Make employees understand they are a valuable part of the solution. You need to get them
invested in protecting the network.”