Persuading users to comply with e-mail security
Is there any way to keep a network safe from receiving loaded e-mails? I
work in a hospital and have viruses popping up in all sorts of locations. A big portion of e-mails we get are from other hospitals, so the problem is wide spread. I have tried repeatedly to advise users to beware of any and all
e-mails that they receive -- to scan them first before opening them -- but for some unknown reason these people don't seem to get the point or don't care. We have installed filters that allow us to screen out potential carriers of viruses but this doesn't always work either and is very time consuming.
What can be done short of removing all e-mail privileges?
You're not alone in facing this problem. User behavior is still one of
the most serious security threats, especially to the medical community.
Even with good antivirus software that should identify infected e-mails,
many users will ignore the warnings. A firewall on every computer could help
too, at least to minimize infection by Trojan horse programs and block any
communication between the creator of the code and computer it has infected.
Personal firewalls like ZoneAlarm and Tiny are affordable and very
Assuming that you have proper antivirus software in place on every
computer that's used for the hospital (inside and out) and regularly update
your antivirus definitions (the maker of the antivirus software should
offer this service), then the next challenge is changing behavior.
The best way to change user behavior is to show users the drastic
consequences of ignoring the rules:
Consequences for the hospital
The virus community has often talked about smart viruses and other code that
can be targeted at hospitals and which are capable of wiping out patient
medial records and critical research data. Other malicious programs can be designed to seek out and interfere with
hospital equipment, perhaps even switching off life-support systems. Imagine the consequences to the patients, hospital and staff if such an
incident occurred, one which could have been prevented by a little more
care. The creator of the virus may not have deliberately targeted the hospital. Or
the virus author may be a previous patient with a grudge, or simply a
malcontent looking for publicity.
Consequences for staff
Employers and courts have become far less tolerant of risky behavior by
employees, and the excuse of "I didn't know" is no longer a safe defense.
Staff who are careless about the way they deal with e-mail in such a
sensitive environment, and who have already been warned, may face
the risk of discipline, dismissal, a civil action and perhaps even criminal
charges, if their negligent behavior harms a patient.
Staff with dangerous biological infections, such as Hepatitis C, understand the
basic precautions they must take to minimize the risk of blood contact with
patients. The same common sense must apply to computer viruses. They threaten
patients, the hospital's reputation and job security. Avoiding the risk
is not hard.
Technology only goes so far and can always be circumvented by users. A user
must see a computer virus as seriously as they view HIV and must understand
that e-mail is the biggest carrier of computer viruses, which can do as much harm to a patient as the most lethal biological virus.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Employee security education
Best Web Links: Security Policy & Infrastructure
This was first published in August 2001