End user training often overlooked in fight to stop emerging worm threats

The rapid spread of the MyDoom worm last week proves that one of the enterprise’s greatest assets is also one of its greatest security weaknesses: user humanity. This week, we look at one of the most effective means of dealing with human nature, which also happens to be one of the most overlooked aspects of outsourcing: training.

While software experts and security tool vendors continue the debate over whether the worm could have been prevented technologically, they are all stumped by one undeniable truth: an e-mail worm or virus cannot infect systems unless it is opened by an unsuspecting user. The chief vulnerability exploited by MyDoom is a user’s curiosity.

Other e-mail viruses have exploited this curiosity as well, but MyDoom takes worm camouflage to a new level. By using provocative subject lines, such as “mail delivery system” or “server report,” MyDoom masqueraded as an official system message, as opposed to a personal message as previous worms did. As a result, many users felt that they needed to open the attachment – they weren’t just being curious.

In addition, MyDoom deceives users by showing a simple message.txt attachment at the top, then skipping 60 lines or so before showing the actual executable attachment. Experienced users know that simple text files are typically not dangerous, so they clicked on the attachment without recognizing the nefarious .exe, .scr or .zip attachment underneath. Again, many users felt they were behaving responsibly when they opened the attachment.

If nothing else, the rapid spread of MyDoom indicates that there is a strong need for a more structured method of educating users on the nature of security vulnerabilities and the proper procedures for avoiding them. In the past, IT departments have generally approached education on an ad hoc basis, sending out messages to warn users of potential threats and the proper procedures for avoiding them. This is obviously the best method for alerting users to near-term threats that require immediate action (or avoidance of action).

With the widespread occurrence of worms and viruses over the past year, however, it is becoming increasingly clear that end users need more comprehensive training on secure computing behavior. They should be given some idea as to what computer hackers and criminals can and can’t do, and which activities pose the greatest threat to the enterprise network. They should be taught company security policies, and given the penalties for violating them. Of course, part of that training would include instructions for responding – or not responding to incoming e-mail from unknown or unexpected senders.

This sort of training presents a problem for many IT departments, which may not have the manpower or the training skills required to conduct such a comprehensive education program in an expedited fashion. One quick method to ensure that this training is done – and done quickly – is to outsource it to a third-party training provider.

Third-party training firms have established methodologies for doing on-site training, from developing the curriculum to ensuring that all employees complete the program. In IT organizations where training staffs are small, these third parties can handle such enterprise-scale efforts with much greater alacrity than any in-house program. In some cases, an outsourcing provider can even bring additional facilities to the table, such as distance learning or online media technology to include remote employees.

Some enterprises may be reluctant to bring in a third-party organization to teach security policy, which obviously differs from company to company. However, most third-party training providers are accustomed to tailoring their programs to fit specific corporate needs, and they can generally be contracted to keep enterprise security policies entirely confidential.

As the old saying goes, a chain is only as strong as its weakest link. In the case of worms such as MyDoom, the weakest link is the uneducated end user who opens an attachment without knowing the facts. An outsourcing provider can help companies to mitigate that vulnerability, lowering risk and potentially saving thousands of hours in lost productivity – without putting undue pressure on already overtaxed IT training departments. With new worms and viruses coming out almost every month, such an outsourcing project is at least worth considering.