Security

Training, relevancy are keys to security

Tired of fighting e-mail macro viruses in your enterprise? Help employees understand the REAL cost of such attacks. Make it relevant, John McCormick says.

Were you hit by the Love Bug? I wasn't, and neither were my clients—and we weren't really bothered by Melissa, either.

Why? I hate to keep harping on this, but most security is simple. Therefore, the nature of security training is repetitive.

Beyond my complaint that the most popular software in the world is just chock full of incredible security holes is the fact that those following basic security recommendations weren't affected by Love or Melissa. This remains true even though many of them use Microsoft Outlook, which has consistently proven to be vulnerable to macro viruses.

Silly mistakes will get you
If you didn't make the silly mistake of opening attachments that you weren’t expecting in the first place, then you missed out on all the fun. You didn’t help the virus spread, you didn’t lose graphic files, and you didn’t suffer system corruption.

With Love still in the news and in the consciousness of upper management, now is a great time to outline a one-hour training session for everyone in your company. Anyone who has access to a computer should attend.

From the night janitor who may just be innocently playing Solitaire during breaks to the CEO, everyone needs a basic explanation of why they should and must follow basic security rules. In many companies, people are told at least once during their training that they shouldn't download programs or bring floppy disks in from home. But unless you explain to them just why, then most will assume the issue is related to wasting company time on personal stuff, and warnings will go in one ear and out the other.

Explain that while they are stealing company time, that's not the problem. Point out that even the most innocent sounding e-mail message with an unexpected attachment, or the cutest Web page, or the most useful-seeming utility, can steal personal or company information, or even delete entire hard drives full of critical data.

Be suspicious
Emphasize that, just like the con man who looks so honest, the most innocuous Web page or e-mail message is actually the most likely to be dangerous. No con man makes a living off victims by looking suspicious. Likewise, a virus-infected attachment is unlikely to be announced by some subject line such as, "Don't open this attachment—it contains a virus!" No, it's going to say, "Here's the contract," "This virus alert is for YOU," or "Please read this love letter."

Be careful out there. Remember, too, to always be suspicious of any e-mail whose subject line is printed in all caps!

If computers make a vital contribution to your company, and they’re not just used for convenience, then you really should have a Draconian rule that states that it's one strike and you're out if you violate the well-publicized guidelines. Security is vital to business, and it's not as if the rules are hard to follow!

In today's tight employment environment, however, that sort of extreme consequence probably isn't practical. Perhaps you could instead impose a mandatory week off without pay, but that's probably the biggest penalty you could score, and it would probably only fly in a business that was shut down by Melissa or Love.

Make it relevant
Here’s what might be your best solution: Take a few minutes to explain in detail how a violation will affect each group. Tell executives just what will happen to the business's bottom line. Give ‘em some hard numbers backed up by news reports of the dollar amounts businesses will lose as a result of the latest virus. Ask secretaries or data entry employees just how much fun it will be to stay late for a week, and then to report in on the weekend to re-enter the last month’s work. Forget about that trip to the Hamptons or flight to a resort—you’re going to be working weekends for a month rebuilding spreadsheets and re-entering sales data because you wanted to learn if a coworker down the hall really loves you.

If you think upper management is already aware of the dangers of computer viruses and other security problems, let me offer up the example of John Deutch. He reportedly put top-secret work on his home PC and is now facing an FBI investigation. According to the Office of the Inspector General, Deutch, the former Director of Central Intelligence for the Central Intelligence Agency, the person who oversaw the entire federal intelligence infrastructure, put code-word level security documents on the same computer that carried his private Internet account. Investigators found his personal banking information on the same PCMCIA memory cards with classified files. If a former MIT provost and professor doesn't understand computer security, what's the chance your CEO does?

John McCormick is a consultant and writer (five books, 14,000 plus articles and columns) who has been working with computers for more than 35 years.


Have a comment?
If you'd like to share your opinion, please post a comment at the bottom of this page or send the editor an e-mail.