Let's face it: All of our efforts at improving employee awareness about malicious code have met with mixed success...
at best and at worst, complete failure. But, we can't give up! Solid user awareness is a crucial component of any successful antimalware program. Even if your technology is perfect, unaware users can inadvertently bring massive infections into your environment by shutting down antivirus tools, clicking on attachments, setting up renegade modems or wireless access points, and opening a variety of other avenues for malware to invade. So, we must improve our awareness initiatives surrounding malicious code. But, how do you do that?
First, craft your employee awareness message about malicious code so that it clearly explains the negative impacts of a malware infection. Many organizations have yearly or even quarterly security awareness initiatives, which often include posters, cafeteria table tents, organization-wide e-mail messages, lunchtime seminars and even periodic computer-based training associated with various security issues. In your own awareness initiatives of this kind, include specific scenarios describing what malware can do, emphasizing the serious damage it can cause. Mention that malicious code cannot only steal or destroy vital data on the employee's computer, but a nasty worm can also seriously impact your entire business.
Then, explain to employees exactly what they need to do to avoid these negative consequences. Here are some good examples:
- Never disable an antivirus tool.
- Allow an antivirus tool to update itself when it indicates new signatures are available.
- Do not open executable attachments in e-mail, no matter who appears to have sent it.
- Use only corporate approved modem and wireless access.
Keep these awareness messages short and focused on exactly what you want users to do.
For more info on this topic, visit these SearchSecurity.com resources:
- Weekly Security Planner: Your information security education, training and awareness program
- Weekly Security Planner: Social engineering --The low-tech side of high-tech
Next, back up your awareness activities by including some actual negative consequences if users violate your policies. We must put some "skin in the game" for our users, or they will ignore our policies with impunity. Work with your Human Resources department to determine reasonable penalties for violators of your malicious code policies. In many organizations, outright financial penalties (docking an employee's pay, for example) are not acceptable legally or politically. If this is the case for your environment, consider at least having a policy that states, "Employees who disregard the organization's malicious code prevention procedures, resulting in an infection inside the organization, will have the incident recorded in their annual performance evaluation." Then, follow up on this threat. For repeat offenders, especially those whose actions cause significant damage, raise the bar, possibly including temporary suspension or even termination.
Also, for each of your employee awareness topics, make sure you have a specific technology enforcing its defense -- detecting whether it has been disabled. That way, you can back up your users' actions and detect whether they are trying to subvert you. Employ enterprise-wide management tools for your antivirus programs and utilize network and host-based intrusion-detection systems to try to spot malicious code propagation early, tracking it down to its origination point.
Finally, recognize that investing in employee awareness training is like putting water into a leaky bucket. You invest in improving it now, and you will likely see a significant, measurable increase in employee security awareness. However, over time, their knowledge will dissipate. After six months or a year, they will likely have forgotten your message and will need to have it renewed. Does this leaky bucket mean that employee awareness is a waste? Not at all! When you think about it, all of our security activities are like a leaky bucket, needing renewal continuously. Did you patch your machines yesterday? I'll bet in less than six months, you'll need to patch them again. And, you'd never consider avoiding crucial patches because of this fact. Likewise, security awareness, a notorious leaky bucket, is still crucial in fighting malicious code.
About the author
Ed Skoudis, CISSP, is cofounder of Intelguardians Network Intelligence, a security consulting firm, and author of Malware: Fighting Malicious Code (Prentice Hall, 2003).