Security fail No. 4: End-user education earns an F Since the dawn of personal computing, we've warned users not to boot with a disk in their floppy drives, not to allow the unexpected macro to run, not to click on the unexpected file attachment, and now, not to run the unexpected antivirus cleaning program. Still, it does not work.
If our end-user education policies succeeded, we would have defeated hackers and malware by now. And if recent trends are any gauge, end-user awareness is worse than ever. Social engineering Trojans, which trick end-users into running malicious programs, are the biggest threat by far. Most end-users readily give up all privacy to any application or social media portal, and they do it without any thought of the repercussions, which includes greatly increasing their likelihood of becoming a target and succumbing to social engineering.
I strongly fault the people behind most end-user education programs. In their hands, end-user education becomes a forced, unwanted childhood chore. Education is undertaken haphazardly, using spotty curriculum that usually doesn't contain information relevant to the latest attacks. Let me ask you a question: If the No. 1 way end-users get tricked into running Trojans is through fake antivirus prompts, does your company tell your employees what their real antivirus program looks like? If not, why?
That type of disconnect puts IT systems in jeopardy. On average, it takes two years for the latest threats to show up in end-user education programs and only a minute for the bad guys to switch themes, putting us behind another two years.
You know what works better than end-user education? More secure software and better default prompts. Don't expect end-users to make the right decision; instead, decide for them. Macro viruses didn't go away until the default option was not to run the macro. File attachment viruses didn't minimize until most of them were blocked and it became harder to run them in the first place. Autorun USB worms didn't go away until Microsoft forced out a patch that disabled autorunning from USB keys as a default.
End-user education has never completely worked because it only takes one person, making one mistake, to infect your whole company. But you can reduce risk by producing better, more targeted end-user education.
Security fail No. 5: Password strength won't save you Here's a frequently repeated security mantra: Create a strong password, one that is long, complex, and frequently changed. Never mind that users are famous for reusing their passwords across multiple websites and security domains, for being tricked into typing their log-on credentials into fake authentication prompts, and for giving their passwords to random emails. Heck, a large portion of the population will give out their real password to strangers on a street for a smaller dollar gift. (The last statement has been tested over many years, in different countries, by many different survey companies, and the result is shockingly the same.) Many of your end-users simply don't care as much about their password as you'd like.
Sign up for CIO Asia eNewsletters.