Too many corporate executives set down edicts, contract out the security awareness services and then ignore their own advice. They expect everyone else to do the dirty work. This is a patently unacceptable approach to security and just goes to show how much we in the security world depend on the average IT user to help protect networks.
Recently I got a panicky phone call from Henry, the security administrator of a California hospital I have done business with for years. It seems the hospital had been hit by a nasty case of the MyDoom virus that began its explosive growth during the last week of January. After attempting to calm Henry down, I asked how MyDoom got released inside the hospital, which has about 2,000 desktops, 1,000 remote machines, and the usual assortment of Windows and Linux servers.
"That's the really bad part," he harrumphed. "Our execs did it."
"Your execs? What do you mean they did it?"
"They clicked."
"No!" I was flabbergasted. "They clicked on an attachment that says, 'Virus detected, do not open'?"
"Yes."
"But what about your corporate security policy we spent so much time on, which clearly states, 'Do not click on unknown attachments'?"
"They ignored it," he sighed. "Five of them."
Five executives in his hospital had clicked on MyDoom - and brought the e-mail system to a grinding halt. I thought about this for a second and postulated, "You know, Henry, if you or some of your desktop users had done the same thing, you would all be hung out to dry, at least according to your corporate policies. I suppose, then, our security awareness program isn't doing as well as we thought?"
"No, quite the opposite, in fact!" Henry sounded more upbeat now. "Over a hundred from our general user community called the help desk and asked what to do. The staff did their part; the execs failed us."
I heard similar stories from several other large organizations and frankly was astounded. The corporate executives who demand IT perfection from their administrators want 100% availability on all services and expect everyone in their company to follow security policy - these are the people at the root of the problem.
When I heard that on Feb. 2 China reported hundreds of thousands of computers infected with MyDoom, I could understand. China has a low level of security awareness and a widespread absence of efficient anti-virus software among its 78 million online population; thus, it is especially vulnerable to worm attacks. But in the U.S., where executives authorize the spending of tens of thousands of dollars and more annually to manage effective anti-virus defenses and educate their online user base, I am sorry - there is no excuse for falling victim to MyDoom.
Too many corporate executives set down edicts, contract out the security awareness services and then ignore their own advice. They expect everyone else to do the dirty work.
This is a patently unacceptable approach to security and just goes to show how much we in the security world depend on the average IT user to help protect networks. I can't buy the argument "I didn't know about it" as a valid excuse to misbehave on your own network and click on an infected attachment, even if it did come from your closest friend.
That's part of how the bad guys are getting to us: through social engineering. They are preying upon the fact that we like to trust our friends, and we like to trust the e-mails they send us.
I grew up in New York and can smell a scam artist a thousand yards away. That is what we try to get people to understand through security awareness: It's not only about the technology. It's about common sense, alertness and a bit of rational paranoia.
So listen up educators, trainers, network security folks and human resources professionals: Your executives are not exempt. They, too, must be expected to learn, understand and follow security policy; participate in awareness training; and be held to the same standards they hold their employees to. Senior management has to realize they are either part of the solution or part of the problem. It's up to the rest of us to make sure that message hits their desks, too.
Schwartau is president of Interpact, a security awareness consulting firm, and author of several books, including the recent Pearl Harbor Dot Com. He can be reached at winn@interpactinc.com.