No Substitute for Diligence

Evidence suggests that the most common causes of malware invasion come from carelessness or inattention by people inside your company rather than from the insidiousness of the forces of evil outside

I cannot agree with this statement.

In my past company/s I have taken the care to set up full safety from Virus, Trojans and other Malware, etc.

BUT, If the software ........... anti-virus etc stops finding or searching for Malware, any Malware is free to infect any part of the computer.

It is after all, only as good as the last update, assuming the update works!

How do you educate your people about the security practices that you put in place?

Huh ?

By them finding out that they can't access programs or sites they're not authorized to, and by them not being able to insert pen-drives and similar media. Security software should update and run in a manner that from the employees position is invisible. Don't put sensitive information on laptops, and shoot people who lose them.

Hello Kris,

Are you OK?

I have to say I agree with everything you say.

When managing a whole network of computers and printers/scanners,, as you say the 'safety' should be invisible and the workforce should be made aware of the thoughtless ease of infecting a system or a single computer.

Once a single computer has an infection you have to assume the whole system has that same infection!

The ideal of course, is not to let any memory cards etc to be used at all. And do not allow any transfer of info to other sections and offices when it is not needed.................In short, to keep control!

I find it pretty scary that most computer users do not think of external disc drives as carry or the potential to carry and spread virus ect.

'Works' computers ARE NOT THERE FOR AN INDIVIDUALS PRIVATE USE!.......... But many of the workers get pis-ed when told they cannot use their computers to visit email and other personal sites, which is where there is more likelihood of catching a virus?

The users have to know they are >>>AT WORK<<<! It is not for their private use at all, but as I say most with be angry NOT to be able to use the computer as they would their own?

Hi bb,

All good here, hope things are fine with you too.

Good points about making clear the boundary between work and personal stuff. A company that tries to operate a relaxed environment where people make personal phone calls/surf the web etc is asking for trouble. Before they know it, the balance of work/personal activity will change dramatically, and it will all go to pieces. The trouble is, a certain amount of activity that's not directly related to job-function can be useful - quick chat getting to know other employees, call home to say "I'm working overtime" can be useful. It's very much a judgement call on the part of management.

The topic is interesting, though a little off-topic here outside of it's context in security risk via personal computer use. Simply preventing that is the best move. The only specific type of web use that comes to mind is that if somebody needs to resolve a specific (and work related) problem, it would be useful if they can access the web in order to try find solutions. That might be some unusual technical problem, gathering market research info, etc. Hopefully employees needing to generally hunt information on the web would have been employed at a certain level (and for sufficient time) for them to be trustable. Clear guidelines would help, as would logging of web-sites visited. An interesting example would be whether or not a company allowed certain employees to access CR4 ; It can provide fantastic technical information, yet the employee could be tempted to extend their research time to a little bit of checking out the fun stuff. I've not read anywhere of peoples employers approach to CR4, though I guess it's got to be 'they approve/don't have a restrictive policy' (!). Many companies ban youtube and Facebook - the former is probably justified (though You Tube has a lot of good technical content), and the latter sounds very justified to block from the little I know of it (though I think CR4 does have some discussion on using it in business, though that may be directed at sole-traders which is a little different to the intent of the OP).

Overall, the answer certainly seems to lie in giving clear guidelines to employees, applying IT security/content blocking, and monitored access to the web where it might be justified for some employees.

Hello Kris,

Hope you are well? I am tired after working late last night and an early start today. Still, got to be done!

With ref' to 'Rules'. I think there should be a short list of things not allowed to be done at work. "WORK"

being to operative word!!!!!

As I said in my previous post, work is where people earn a living, not play around.

It is a place where certain things are conducive to a more productive day, and there is other things which are not! The two cannot easily be mixed, though of course any friendships made at work and because of work can continue after work is finished. 'Friendships' can never be a reason for doing anything at work which does not involve the actual job you are employed to do, Right?

That may sound pompous but, I am old fashioned and, work is work and, play is entirely different!.....................

Deny admin rights. Unless the user knows what they are doing.