Discussion in 'Business & Enterprise Computing' started by Joshhy, Sep 12, 2014.
Well at least we have got to the root of the problem.
I wholeheartedly disagree, it's entirely possible to make it a positive discussion. Obviously if IT come in screaming 'told you so' of course it'll be a disaster. But I've honestly never heard of a group of people feeling like it's us vs them as a result of doing this in advance. We've had more kickback from staff who haven't been phished in advance.
People generally pay more attention due to there being evidence that their assumption is wrong. But just to repeat myself, it's not about rubbing peoples nose in it. It's about explaining that this is a real concern for everyone, and then help them address it.
Unless that's purely a Dutch thing and Aussies have their heads too far up their asses to pay attention, which is of course entirely possible too
No modern business should be materially impacted by cryptolocker. The technology and solutions are already in place. As you say, the value is hard to quantify.
Whoops missed your post pablo
Which sums up what I was feeling way nicer than I did
Best practice surely has to include some attempt at user education, it can't be as black and white as that?
Even though I'm not currently in enterprise IT, I started my career there. I understand the general animosity and "necessary evil" mentality that many users have towards everything IT-related, and the fact that some people will never get it nor give a shit no matter hard hard you try.
But if you're not making at least some attempt to educate users regarding known common threats (which should include vectors like social engineering), then you're surely making your life more difficult in the end?
Though I also acknowledge that corporate culture has a big role to play here, and in some orgs/industries you're always just going to be pissing up a tree.
Some companies will appreciate the proactive, in-your-face promotion of the fact that the users are the biggest problem. At many more, it will get you canned.
User education is a key part of a good defense in depth strategy.
You can give people the best stuff, highly secured environment, but if they type their credentials into a basic phishing website it's all for nothing.
Nope. People are emotional brats.
As the son of a Dutchman, you've hit the nail on the head. Dutch logic is wonderful, and the ability to be objective in the face of evidence is something I sincerely miss working for an Australian business full of people who cry about how much their feelings are hurt every time we try and move the business forward.
This whole country is much the same. Every time you try to make progress, you get people in tears over how much it hurts everyone's feelings. Utterly ridiculous.
Walking on eggshells is by far the worst aspect of my job.
I genuinely don't know. And nor does anyone else, because if they did, this stuff wouldn't exist.
When you're dependent on the functionality of a tool for 80% of your work day, make it your business to learn how to use that tool.
If you're too stupid for that, maybe don't completely disregard this simple instruction from the people who provide you support in using that tool: "Don't blindly open every single email attachment you receive".
Failing that, please feel free to hassle me repeatedly about not being able to log on to your computer while I restore all the files you encrypted and generally clean up after you shitting all over the office floor. That's a great way to get back on side.
Fuck, flux capacitor equipped de-lorean is standard equipment for every modern business?
Why do I waste my time isolating the affected computer then restoring data from last good backup while people wait for their files when time travel is already in place.
My tongue has pretty much constant bite marks on it.
So we give into the "No red marker" brigade and don't at least try to help users, by giving them a little test, that ok they may feel a little bit sheepish if they flunk, but ultimately it might save a lot more grief next time even if it makes them pause and think should I click on $stealmypaypal/cctrojan/webcambroadcastworldwideforprofit$ link or maybe should I call IT.
I'm sorry but I did with management approval run a phishing test on my users once. 10% failed real bad when it was blingingly obvious (I made the page say Password stealing website ffs) and yet they STILL entered their details.
We need to stop worrying about a very small percentage of users feelings and just move on. Or another way might be to look at it this way.
Joe average receives a company credit card and because he is lazy and doesn't think writes his pin number on the credit card back. He then proceeds to leave it in his car in a very visible place and it of course gets stolen. Fearing for his job he doesn't tell finance for a week, by which time the card has racked up $50,000 on it.
To my way of looking at it, how is the above story any different to any of the ways almost everyone on these forums users have got infected with cryptoware. Its almost the same level of stupidity as the above C/C example. I bet in the above C/C example the person would get reamed by finance and probably fired, but if you were to swap it with IT, it'd almost get waved off with little more thought, other then a pissed off IT guy cleaning it up, with no real comeback on the user, but like I said to my thinking its near the same level of stupid.
OK, OK, chill.
Here's the deal: I agree with you. 80% of people in the workplace are incompetent and need a bloody good slap (figuratively speaking, although literally would also be satisfying). Most will continue to avoid good advice until it bites them in the arse, and then they'll come crying to people like you and I for help at the 11th hour. And not at their expense, but at ours, as we put the hours in to fix their fuckups while they go home and put their feet up with their families.
Depending on where you work, IT departments frequently get no respect. That means no budget, no people, and nobody listens to their warnings and advice. This is not every business, of course. But it is a lot of them.
Performing sting operations on your users is walking a tightrope. If you can pull it off with management support and everyone learns something at the end: my hat off to you. That sounds like an incredibly challenging situation that needed some good planning, and if it worked, then you have my genuine admiration.
Perhaps I'm being biased with the experience of working with creatives too long, but where I come from (and with the lack of organisation available to me currently), my company would fail at such a task, and end up making the general working population hate IT a whole bunch. What would happen here is we'd drive the already troubling wedge between IT and regular users in a little deeper, and it would give the users one less reason to seek our help when they should, "proving" to them that we're not on their side, and that they should continue doing things without our advice. Again, I work with a highly emotional lot (speaking industry wide, not just our business), so I completely acknowledge that I could be way off mark for your regular corporate setup.
So again, if you did it and came out in a better spot than before (people respected IT the same or more, and you educated some users), then that's worthy of praise. I shudder to think what the result of such an operation would be where I work currently, given our lack of resources as well as the temperament of our users.
Last week i had 3 users ask about suspicious emails. All were phishing emails that had slipped through our barracuda spam filter. I'm not sure what it is about this company but it seems the users give a shit, in my MSP days daily people would get hit and play dumb. I wonder if it's a culture thing within a business, if people care about the business then they are more diligent.
How do you find the Barracuda spam filtering on the whole? are you appliance, or hosted?
Our current solution is EOL soon, and its almost time to start looking at alternatives.
Sure, why not? If I were the one doing the attacking, I'd have a dozen or so of these things that I'd use in rotation. Users will forget after 6 months, so why not recycle it and save yourself a bunch of effort?
I'd do a census one... Seems topical
You have an evil mind. I like it.
this actually pre-dates the census, but i expect they might ramp up a bit now.
Appliance and I don't manage it so cant really comment. It has had an issue here or there. One was renaming the file extension on PDF's to some thing else but it was resolved quickly.
The end users like it, we have it set up so they can manage their own white\black list and preferences.
You're a pretty cluey guy. Surely practicing professionalism ain't gonna kill ya!
Professionalism is entirely different to managing histrionics.
Another reminder that I work in the creative industries. By comparison, corporate life is a walk in the park.