User education key to network protection

You’ve got your clients locked down tight. You’re running a good router with UTM and it’s configured strongly, up to date, all of that. You’ve got the client machines running antivirus and they’re all patched. They’re protected from spyware and they’re restricted from sites that are… questionable. You’ve followed every security best-practice you can find. You’ve done it all. But, what about the users?

You’ve read the horror stories. Maybe you’ve even been unlucky enough to live through one. Users are the greatest risk to any network. Of course, every admin dreams of a network without users… imagine how fast things would run! I could finally get to those projects… but I digress. Users deserve a lot more attention from us. Their education can be the best investment an IT staff can make! For the record, I mean appropriate education – not teaching them how to replace ram or diagnose their own issues – but how to spot a malicious email or pop-up. Maybe teach them why taping their password to their monitor isn’t such a good idea.

Educating users does two things – first, it reduces an admin’s work load. Unless you’re one of the three admins in the world that doesn’t have enough to do, this is a good thing. Secondly, and maybe more importantly, it can help tear down the wall between admins and users. All too often I’ve seen a line drawn in the sand between users and IT, when we’re all out for the same goals. The very nature of our work makes users feel like we’re restricting their freedoms. Educating them on why we do the things we do can help them understand the daunting task we’re up against, namely, trying to keep everyone productive while fightning against the underworld that’s bent on the exact opposite. Experience has shown me that teaching users the very basics of proper internet and computer usage is not just a good idea, it’s nearly a requirement. It’s the only way you’re going to move from a reactive to proactive organization.

What do they need to know? Users need to understand the basics of spyware/virii/malware and how to spot, avoid and deal with it. Usually, dealing with it involves a call to the help desk, but that’s OK. If the user’s been trained well, those calls are fewer and more likely to come soon enough that simple removal is possible.

Teaching users about the social engineering tactics employed by the black hats is imperative. Emails, phone calls and even postal mail are being employed to gain security information from the most basic of users. Many users still consider anything on paper to be legitimate… and we all know how that ends.

Lastly, the basics of how a computer works and why reboots / defrags / virus scans are necessary is a good idea. Your organization may (and should!) automate all of these things, but isn’t it better for the user of a tool to understand basic functions? At the very least, that will help them know when something isn’t working right. Maybe that information will leave you with cloning a failing hard drive instead of doing data recovery on one that’s failed.