Most end users in this day and age are considered savvy when it comes to basic computing in the workplace. Users are better able to do their work and manage through their days without assistance from the helpdesk. Computers and software are evolving, but it doesn’t appear we as end users are motivated to evolve with them.
In the last 12 months, nearly every system I have seen infected by one of these threats has been allowed by a user that didn’t see the threat coming. They believed they were just doing what their computer told them a million times to do: install a patch, a browser plugin, an app, or approve some security setting so they can proceed. Users are not looking at security as an offensive game. Many still see it as the responsibility of their protective software and their IT teams. We have been trained to expect to install things to allow us to continue doing what we were trying to do without question, and thus intrinsically trust the computer to take care of itself.
Times have changed. We cannot trust the computer or the anti-virus software to protect us. We need to be active participants in protecting ourselves from being exploited. As IT professionals, we need to take the extra step in re-training our users to recognize threats in their many forms. As users, we need to recognize that, for better or worse, it is in our best interest to not trust that what’s in front of us is true, needed, or necessary.
Talk to people about all the different ways a computer can be compromised. This will help put them into a defensive posture and might just help spot a rogue link or unexpected email. Empower them to verify when they are being asked to install things until they are able to recognize friend from foe.
Educate them on what protective software is installed and how it works. Help them understand what popups are supposed to look like for your company’s IT products and services. Show them what some of the common tricks are to get them to click on things they shouldn’t.
Show people how malicious code impacts their lives. Most of the time we are removed from the impact by the IT team that dutifully works to recover from the infection. Do a post mortem to really understand the time and money lost each time something gets through. Put a value on it in terms people will understand, whether it is a dollar value, the number of hours spent, or even the bitcoin you have had to pay to recover irreplaceable data. Find a way to help people understand the true cost of infections.
One great example was a company that had a simple infection of a crypto virus from a now shut-down ransomware network. It encrypted 20,000,000 files over a long weekend. Had they not been able to recover from backup, it would have ended the company. The total price tag would have been tens of millions of dollars lost along with 200 jobs. Happily, since their re-training efforts a year ago, they have not had a single infection since.