Information Technology professionals have long heard the expression that the “best way to secure a computer is to pull the plug.” Barring the benefits to your electric bill, let’s face it – that is not a practical solution.
Computer viruses, which pose the biggest challenge with information security, have been around for a long time. Way back in 1999, the Melissa Virus was released. Considered to be the first virus sent in mass quantities via email, Melissa poured through Outlook address books to infect machines at a rate of 50 at a time. Since then, thousands of viruses have been created and distributed across the globe. In fact, the two largest anti-virus software publishers have created over 17 million scripts to identify viruses and their variants to help protect systems.
Even with all of the technical prevention tactics and security software available, viruses still get in and wreak havoc on network environments. Preventing them from infecting your systems requires a multi-layered approach. However, the first layer, and one of the most important, is your users.
Since the Melissa Virus, email has become the preferred method of virus distribution. If you have users who are connected to the internet, it is imperative that you provide regular user training. User training on an organizational level serves several distinct purposes:
- It educates users on how malicious emails are designed to deceive them into downloading dangerous payloads. The more familiar users are with these deceptive tactics, the more easily they can identify and avoid infected emails.
- Training keeps users vigilant for fraudulent or malicious activity. When we are called in to clean a virus, it’s often the cause of a user who is aware of dangerous viral email tactics but was either in a hurry or was no longer on guard. Regular training keeps users aware and alert for security threats.
- Training provides an opportunity to review your company security policies. Through re-evaluation of organizational procedures, processes, and platforms, you can better secure your company by incorporating best practices from your security training.
- The information is beneficial beyond an information security scope. Often, other productivity and security enhancements are discussed, encouraging each user to leave with a new productivity-improving shortcut or feature that can be regularly incorporated.
However, user training is only as beneficial as the results they provide. It’s important to evaluate and measure the success of your training to ensure that your employees’ time is being utilized effectively. Although there are several ways to determine the success of your user training, an effective tactic involves random email testing. I’ll cover the benefits and uses for random email testing in my next blog.